Special report: Cyber security
The Chancellor is warning of cyber terrorism. US healthcare organisations are under siege from hackers. Should the NHS be alarmed? Will the new careCERT help? And what should IT directors be doing? Daloni Carlisle reports.
Last month, Chancellor George Osborne announced that the UK is to double its spending on cyber security to £1.9 billion by 2020 in a bid both to protect national infrastructure from hostile forces and, as he put it, to take the fight to those who would harm us.
Islamic State was already using the internet for propaganda, to radicalise people and for planning purposes, he told an audience at the GCHQ eavesdropping agency.
"They have not been able to use it to kill people yet by attacking our infrastructure through cyber attack," he said. "They do not yet have that capability. But we know they want it and are doing their best to build it.”
GCHQ was currently monitoring cyber threats against 450 companies in aerospace, finance defense, energy and telecoms sectors, while the number of cyber national security incidents had doubled to 200 a month since last year, he said.
Some of these have been high profile – Sony and TalkTalk for example – but many never come to public attention. While UK hospitals have not publically suffered a cyber attack, we do know that hospitals are not immune.
Hospitals become targets in the US
In August last year, one of the biggest US hospital chains, Community Healthcare Inc, suffered a cyber attack. Investigators said it was the work of a group known as APT 18 that may have links to the Chinese government.
The data stolen included more than 4.5 million patients’ names, dates of birth, addresses, telephone numbers and social security numbers - but no credit card details or medical information.
It was the largest attack of its kind since tracking began in 2009 - and just one of a spate of similar attacks on US healthcare providers.
Could such a thing happen in the NHS? Yes, says Richard Boulton of IT security company Check Point. He has recently been appointed NHS account manager, reflecting the higher priority that NHS organisations now put on cyber security.
“We talk about cyber threat all the time and it is a real threat,” he says, adding that he looks across the spectrum from cyber attack as a business to cyber attack as a form of terrorism.
“There are people out there – not just geeks at home – who are trying to make money. It is a business – and a big business. The threat is not about them wanting you to know that they are inside your network but doing it quietly while they get information out.”
Is the NHS worth hacking?
There is an idea that UK healthcare organisations have less to worry about than US healthcare organisations, because the NHS ethos of being ‘free at the point of use’ means it holds less data that would be attractive to hackers.
However, while the NHS does not hold bank account or credit card details, it does hold valuable data such as names, dates of birth and addresses - as well as sensitive health data.
“To be very blunt, the value of NHS data is in selling it for marketing purposes,” says Boulton. “The other threat is the one George Osborne is talking about –the terror threat of taking down a hospital by attacking the infrastructure and putting lives at risk.”
Even so, the perception of the gravity of this threat varies. When Digital Health Intelligence’s first NHS IT Leadership Survey asked chief information officers and chief clinical information officers for their views, the response was mixed.
Views were polarised, dividing between the 40% who saw it as a growing and significant risk, 25% who felt the risks were understated, and 25% who believed the risks were over-stated.
“It’s something we need to be vigilant about,” wrote a clinical lead for IT at an acute foundation trust. “There are two main threats, firstly that confidentiality is compromised but even more significant is the risk that systems could be brought down and as our dependency on them increases, so the clinical risk increases.”
The head of health informatics at a mental health foundation trust added: “Thus far no one has seriously tried to attack health sites and this has lead to a degree of complacency. Not all trusts understand their own vulnerabilities.”
Secure the perimeter!
At the coalface of NHS IT, Boulton says IT directors perceive their threat to come from malware. Their concern is to secure the perimeter.
In a world where bring your own device, choose your own device, patient access to the internet, consultation by Skype and mobile working are becoming more common by the day, that perimeter is getting harder to police.
“One of the things we can do is set up a security port that mirrors traffic going into the hospital and we do see some very interesting things happening,” he says.
“We can see where people are downloading movies on the night shift – and where they are downloading them from. We can see malware coming in. We then provide a report and help the IT department understand what it going on.”
Andrew Grant, who works for Westcon Security, says there is also a clear education piece for NHS organisations. “I am not sure that NHS organisations really understand the risks of BYOD. When we talked to CCIOs at EHI Live this year, they were asking about how they can effectively educate their staff around security.”
Get the board on board
Courtney Green is managing director of NETconnection, which supplies IT security services to the NHS. “Up until recently, hospitals had not thought of themselves as a target for terrorists in the wider sense,” he says.
“Following recent events, everybody is focusing on that. Now, after George Osborne’s speech, we are seeing a change in terms of getting people to look at their own environments.”
He agrees with Boulton that viruses and malware are the main perceived threats and that BYOD is increasing that threat. “It is one of the biggest challenges – that and understanding who is connecting to the network and having the ability to monitor and audit.”
Cyber security is, ultimately, a board level responsibility. “Trusts must do due diligence and this is up to the chief executive,” says Green.
A CERTain promise of help
Then there is the system response. As Osborne’s speech made clear, cyber security requires a response not just from single organisations but from the system as a whole. Part of the promised £1.9 billion is shore up this central capability.
This was well understood by respondents to the DHI survey, several of whom said there was a need for HSCIC to provide more guidance and support to help local NHS organisations more effectively manage cyber security risks.
The informatics director at an acute foundation trust wrote: “We need to continue to invest in protecting ourselves. HSCIC should provide practical, hands-on assistance, support and materials to help trusts meet cyber threats.”
Right now, HSCIC is working on CareCERT – the Care Computing Emergency Response Team - which has funding from the Cabinet Office National Cyber Security programme.
The new CERT was announced in September and must be up and running by January. Its stated aim is to “enhance cyber resilience across the health and social care system” by looking for emerging threats and then advising healthcare organisations on what to do about them.
It will also provide “incident response expertise” for when bad things do happen; while training up ‘cyber champions’ to take forward its work at a local level.
Eventually, the idea is for careCERT to issue alerts on a monthly, weekly, and even daily basis. So whether you think the risks are overstated, understated or about right, cyber security is going to stay high on the agenda for some time to come; and so is acting on it.