- Security TWENTY Home
- Women in Security Awards
NHS institutions will still be using unsupported IT systems for months, despite the high profile ransomware attacks that shut parts of the National Health Service, the Government has admitted.
In its response to two data reviews that have run in the last couple of years, the Government’s response says that they will support the NHS locally to ‘ensure they are identifying and moving away from, or actively managing, any unsupported systems by April 2018’. According to that document, guidance on removing unsupported software will be issued this month.
The document admitted that recent incidents such as WannaCry, ‘which affected many other countries’ services as well as our own health and care system, have shown that the NHS can protect essential services in the face of a cyberattack, but they have also underlined the need for organisations to implement essential, strong data security standards’.
The NHS standard contract was changed in April so that NHS bodies are formally required to adopt data security standards as recommended by the independent National Data Guardian for Health and Care, Dame Fiona Caldicott (a post which dates from November 2014). That’s including security training for staff; annual reviews of processes; and contingency plans to respond to threats to data security.
This follows the WannaCry malware attack in mid-May that brought chaos to NHS institutions whose IT systems froze or were turned off in case of cyber-attack (including the NHS’ own central counter-fraud and physical security management arm). On that score, the Government says that work is under way to find the fastest and most cost effective way to support the NHS to move from unsupported operating systems, including Microsoft’s Windows XP, that was the weakness exploited by WannaCry, in the UK and elsewhere.
Health Minister Lord O’Shaughnessy said: “The NHS has a long history of safeguarding confidential data, but with the growing threat of cyber-attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS. Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”
The Government was responding to the National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs, consulted on between July and September 2016. Separately the health and social care regulator the Care Quality Commission (CQC) has carried out a review of NHS protection of personal data. The CQC found among other shortcomings that while staff wanted to protect data, and data security policies and procedures were in place at many places, that was not the same as what happened in practice; quality of staff training on data security was ‘very varied’; when something went wrong, lessons weren’t learned; and on that score, there was no culture of learning – for example benchmarking with others was ‘all but absent’. For the 32-page CQC Safe Data, Safe Care report click here.
For the Government’s 84-page response to the two reviews, and what it proposes click here. Among the proposals are training for staff, and a ‘communications campaign’ targeted at ‘leaders’ for taking ownership of cyber risks. A ‘redesigned Information Governance Toolkit’ is promised for April 2018, being tested in alpha and beta versions this year; it’ll cover such cyber-security bugbears as ‘dormant accounts, default passwords and multiple log-ins from the same account’.
Caldicott’s ten data security standards in brief
n Confidential data handled, stored and transmitted securely, electronic or paper.
n Staff understand their responsibilities.
n Annual training.
n Data only accessible to staff who need it.
n Processes reviewed at least annually.
n Cyber-attacks identified and resisted and data breaches reported.
n A continuity plan to respond to data breaches.
n No unsupported operating systems, software or browsers.
n A strategy based on a framework such as Cyber Essentials.
n Suppliers accountable via contracts.
According to the Government’s response to the reviews (page 25), it will ‘publish a pledge to the public to uphold the principles of the NDG review regarding how their data will and will not be used’.
Source, page nine of the UK Government consultation on the Caldicott review.
David Emm, principal security researcher at the IT ssecurity product firm Kaspersky Lab said: “Since health data is attractive to criminals, it is no surprise that NHS organisations have experienced a series of highly publicised data breaches, the most notable and damaging being the recent WannaCry attack. Hospital technology is evolving quickly. Laptops and mobile devices are proliferating both inside and outside the hospital—as are interconnected medical devices that, increasingly, operate on common IT platforms and are susceptible to the same security risks as traditional IT devices. This rapid pace of a change means that hospitals are under pressure to maintain numerous isolated IT assets.
“With the aid of this increased funding for the NHS, healthcare providers must work closely with their IT security teams to implement sophisticated, high-quality protection that will allow them to manage and protect customer data. Not just for the sake of ‘tick-box’ compliance, or to avoid hefty fines and embarrassing, often irreparable reputational damage, but to enable them and their patients to reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure.”
Paul Farrington, Manager, EMEA Solution Architects at Veracode, said: “This investment by the government demonstrates just how crucial cybersecurity measures are to all industries, not just the healthcare industry. Our dependence on software means attacks like these, whether from cybercriminals looking to make money, or from those motivated by some political purpose, will only grow more frequent. We live in a time where our economy is tied to software, meaning a digital attack on an organisation like a hospital can have implications in the physical world. Even if these attacks were carried out with the sole objective of getting some companies to pay the ransom, the recent attacks demonstrate the deficiency in the way we produce software and hardware, not just to us, but to the real bad guys as well.
“But ultimately, while this investment is clearly a big step in the right direction, to truly combat the cyber threats to the NHS, the organisation needs a sense of purpose and leadership in this area. The money should not just be invested in helping promote and educate staff on better cyber hygiene.
“Doctors and nurses are already working tirelessly every day to care for patients – and it’s certainly understandable that great cyber hygiene to date hasn’t been top of their priorities. But as we see more instances whereby hospitals and health centres can’t operate because of cyberattacks, with clear leadership and education around the benefits of good cyber hygiene, it will soon become synonymous to the overall safety of patients washing hands. And because, in an industry where the stakes are literally life and death, we must prioritise prevention over detection.”
And Dr Malcolm Murphy, Technology Director for Western Europe at Infoblox, said: “In the wake of WannaCry and Petya it is clear that the NHS are facing a serious cybersecurity threat – with connected devices increasing and legacy operating systems often operating unpatched in medical equipment. However hospitals now face the challenge of ensuring that they spend this money in the right places- cybercriminals are increasingly targeting every vulnerability that they can and they should now be operating under the assumption that it’s a case of ‘when’ the next cyberattack will happen, not ‘if’.
“While the NHS should definitely prioritise updating their operating systems, to protect against another attack like WannaCry and Petya that exploits vulnerabilities in unpatched systems, the NHS also needs to ensure they spot a potential attack as fast as possible. Hospitals need to be investing in network monitoring measures, ensuring they are continually monitoring all possible endpoints for malicious activity in order to stay on top of the ever present threat of attack.”