Cyber security is an ever-increasing issue for the healthcare sector, with the NHS’ huge landscape and lack of digital maturity key reasons for the many attacks that occur on the system.
Digital Health News spoke exclusively to Deryck Mitchelson, chief information security officer (CISO) at Check Point Software Technologies Ltd and former director of national digital and CISO at NHS Scotland, and Chris Scarisbrick, sales director and deputy managing director at Sectra, about the cyber threats and challenges for the NHS, national policy, and the role their companies are playing in boosting cyber resilience.
Mike Fell, executive director of national cyber operations at NHS England, also exclusively answered some key questions put to him by Digital Health News.
The NHS’ cyber threats and challenges
The NHS is facing more cyber threats and challenges than ever before, with many within the field, including Mitchelson, describing the present situation as a “crisis in healthcare”.
In a recent presentation at CPX London, an annual cyber security conference hosted by Check Point Software, Mitchelson revealed that in May 2023 there were 1383 cyber attacks in healthcare per week, compared with 797 weekly in May 2022.
Speaking to Digital Health News afterwards, he put the NHS’ cyber problems down to its huge landscape and lack of digital maturity.
“They’ve [the NHS] got systems and data everywhere, that’s the biggest challenge. The landscape is huge; I don’t think the problem is necessarily they’ve got IoT problems, the problem is the entire state,” Mitchelson said.
“They’re coming from a point where they’re not digitally mature. So initially, they’ve done digitisation, so there’s less on paper than there were before, but they do not have automated processes all the way through.”
He also blamed the “waste and efficiency within the NHS” and the fact that “complexity is what kills” the healthcare system.
Scarisbrick shared the viewpoint that the NHS are not currently best placed to deal with cyber attacks and should reduce its landscape so that data is stored in fewer places.
He said: “We are woefully equipped for a variety of reasons to cope with cyber threats that exist today… the healthcare industry is more than twice as likely to receive a cyber attack than any other industry.”
“There was once a perceived vision that putting all your eggs into one basket, one central location is a bigger threat than keeping data siloed in federated archives and so on.
“What we’re seeing is if you do reduce the number of places where your data sits and the amount of infrastructure that exists, then that’s less vectors that are available for attack and there’s fewer places where malicious code can find its way into the system,” he explained.
Fell highlighed that “the most significant cyber threat the sector faces is ransomware” which is “used in profit-seeking attacks, often staged by organised criminal groups”.
He added: “NHS organisations can help protect systems by managing critical IT vulnerabilities and implementing multi-factor authentication, which helps to reduce the likelihood of success from cyber threats.
“NHS staff can also take simple steps to improve online security, such as setting strong passwords, keeping devices locked when they’re not in use, and being aware of phishing and email scams.”
Slow development of national policy
Clear national policy from the UK government around cyber defence in health and care has been in short supply over the last few years, until this year when the Cyber Security Strategy for Health and Adult Social Care was published by the Department of Health and Social Care in March.
The strategy sets out how to achieve cyber resilience across the sector by 2030 and is being viewed by many as a catalyst for change in NHS security, particularly following both the WannaCry and Advanced cyber attacks on the NHS.
However, for Mitchelson, although he is happy that cyber security is now a national issue, he wants to see action rather than just talk.
“I see a lot of talking, but what I still want to see, for these things to be achievable, are tactile deliverable plans, implementation plans that show how we get from where we are now to actually starting to deliver these services in 2030.
“Until you see the detail, I would always be slightly pessimistic. I think things have stepped forward to say we want to do things nationally, we want to do things once rather than dozens of times, but I’m not sure where the detail is in order to do that,” Mitchelson said.
He also expressed his disappointment that the recent government strategy is for England and not the whole of the UK.
Achieving cyber resilience
With the World Economic Forum warning that “we should prepare for a Covid-like cyber pandemic”, no one can confidently predict a point at which the NHS will see complete cyber security. But as the NHS implements more technology, it will inevitably open up more opportunities for cyber criminals.
Scarisbrick has confidence that our health system will be more secure because we are learning from previous attacks and mistakes and cyber is now a clear national issue.
He said: “I think we’ll be more secure. WannaCry has helped with that, it was a big shot in the arm and now IT departments within hospitals are much more diligent about making sure that security patches and so on are rolled out.
“I don’t think the health service is anywhere near as naive as it once was when it comes to just how devastating these attacks can be and we’re much more intelligent these days about what’s going on.”
Mitchelson was also hopeful but more cautious on the ability to make the NHS secure before it is fully digitalised. He added: “The NHS is not a modern digital organisation; we might need to change the way that we do it [cyber security] and everyone might not be happy.”
Fell stressed the need for health and care organisation to be prepared for cyber threats and ready to react when an attack happens, in order to be as resilient as possible.
“Cyber threats are always present and constantly evolving, so digital health and care organisations must remain prepared and ready to respond.
“Cyber must always be managed as a risk and a unified and collaborative approach is key to improving cyber security across the health and social care sector,” he said.
“Our vision for the health and social care sector is for it to be resilient to cyber attacks, minimising the impact on patients and making them safer and better cared for.”
Playing their part
Both Check Point Software and Sectra play key roles in cyber security within the NHS and healthcare sector. Scarisbrick points out that many will not know that Sectra’s name stands for Secure Transmission and were a cyber security company before they were a medical company.
“We actively work now at bringing employees from the cyber division into the healthcare division and from the healthcare division into the cyber division and that has the effect of upskilling our resources, particularly in the health sector from the cyber sector,” he said.
Check Point, a leader in cyber security solutions, provide a lot of the critical services across the NHS, with Mitchelson describing the company as “heavy players within the market” but also “heavy players worldwide”.
The company has a deep understanding of healthcare data, the movement of data and what it looks like, he said.
“We’re very much an intelligent partner to the healthcare sector and I can see that only growing.”
NHS England as an organisation has a significant role to play in ensuring all health and care organisations are as equipped as possible to defend against and react to cyber attacks.
The Cyber Security Operations Centre was set up to help achieve this, as well as various NHS-wide deals for cutting-edge security technologies.
Fell said: “As we build the health and social care system of the future, we have the opportunity to redesign existing structures and technologies with security at their core. This means engaging early with emerging technology and setting standards for how it is built and implemented.
“Finally, we must ensure that every organisation across the system is equipped to minimise both the impact of a cyber incident and the time it takes to recover from it. This means making sure the NHS’s most critical services can still continue at a pre-agreed, acceptable level in the event of a cyber attack.”