NHS at 70: Growing Old & Growing Threats

Celebrations have been taking place across the UK to mark a massive milestone in the history of the country’s healthcare system – the National Health Service (NHS) has turned 70. However, rather than sitting back with a cup of tea and taking up gardening, the organization needs to get more agile as it gets older.

The institution was shaken to the core by last year’s WannaCry ransomware attack, and is increasingly a target for cyber-criminals looking to make an impact.

So what technology challenges does the NHS face in the coming years?

Threats Gone By

The core principles of the NHS – to meet the needs of everyone, be free at the point of delivery, and be based on clinical need, not ability to pay – may not have changed over the years, but the threats it faces to the security of its information have.

Tim Sewart, a lawyer specializing in technology for Memery Crystal, explains how past threats focused on hitting systems rather than personal data.

“Threats in the past were really all about disabling systems, and those threats were limited because historic healthcare service provision was not wholly dependent on data,” he says.

Steve Roberts, CEO of cybersecurity and surveillance consultancy Online Spy Shop, adds that access to those NHS systems was also easy for cyber-criminals.

“In 2011, an informal group of hacker-activists warned the NHS that they’d found a way into a NHS network and even posted admin and user details to prove it,” he says. “The NHS played it down, but this was embarrassing, even for 2011.”

The NHS Digital team is a key part of dealing with the threats the service faces, responsible for information, data and IT systems across the NHS.

Chris Flynn, head of operations at NHS Digital’s Cyber Security Centre, admits his field had never been a topic at board level until as recently as 18 months ago, but things are changing.

“The idea that the IT department will sort it all out is diminishing and organizations understand that solutions start from the top,” he adds. “The risks we face are commensurate to any other industry, and it’s often the methods of exploiting those risks that change on a more regular basis.”

“Threats in the past were really all about disabling systems, and those threats were limited because historic healthcare service provision was not wholly dependent on data”

Unique Challenges

Of course, all large organizations on both sides of the Atlantic face threats on the cybersecurity front, but the NHS – and all healthcare organizations – face some unique challenges in comparison.

“Patient care will always be at the forefront of healthcare providers’ priorities,” says Flynn. “That’s why every one of us comes in to work; to help deliver the best patient outcomes we are able to.”

The service itself is a matter of life and death, and this means healthcare organizations should think of security, not just in terms of technical risk, but as a business risk too, says Lynne Dunbrack, research vice-president at IDC Health Insights.

“What happens to patient care and other services in the event of a systems outage as a result of a cyber-attack?” she adds.

“What happens if access to mission critical applications, such as EHRs or CPOE, is disrupted? “What about the damage to the healthcare organization’s reputation if there is a privacy and security breach?”

Sewart says medical data is regarded as especially sensitive, both by the law and the population. “This means the rules around data sharing are restrictive,” he adds, but advances in healthcare are often driven by sharing that data. “The tension between data privacy rights (and expectations) and advances driven by data-sharing are more pronounced in healthcare than in any other sector.”

Roberts agrees that there is a specific challenge in finding the balance between exploiting data for health outcomes and securing it to stop it getting into the hands of cyber-criminals. “Digitization of healthcare data, and the real-time sharing of that data between devices – for example between a lab and a consultant on a ward – is extremely valuable from a clinical point of view. However, the same data is also extremely attractive to criminals.

“The temptation could be to over-protect patient data to win the war against cyber-criminals, at the cost of using that same patient data to save lives, cure disease and improve outcomes. The challenge is to find that balance.”

Global Difference?

Dunbrack explains that many of the challenges the NHS faces are mirrored in the US.

“Many of the same worldwide trends that promote the widespread deployment of healthcare IT solutions are also making healthcare organizations more vulnerable to cybersecurity threats,” she says.

“More electronic health information is widely available and data volumes are growing exponentially, creating larger, more attractive targets. Healthcare organizations are consolidating and consumerization of technology has resulted in near ubiquitous adoption of mobile devices.”

She also points to a shift from wired to wireless networks, leading to a wide range of ‘at risk’ endpoint devices, many of which are not under the direct control of the IT organization.

“Healthcare organizations are increasingly under attack, experiencing thousands of threats on a daily basis,” says Dunbrack. “[They] simply cannot keep up with the level of attacks levied against them by cyber-criminals whose arsenal is evolving rapidly with greater levels of sophistication and insidiousness.”

Then there is also a question of resources. The debates on healthcare funding in the US have always been pronounced, and the NHS in the UK is used as a political football between parties.

The priority in the US is strengthening security posture in the sector and building internal security awareness. For Salvatore Schiano, researcher at analyst firm Forrester, the biggest issue in the US has again come down to a lack of resources.

“Compared to other US industries, healthcare spends the least on IT security as a percentage of their overall IT budget,” he says. “Worse, 51% of security decision-makers at US healthcare organizations report that spending will stay the same in 2018.”

Greg Day, VP and CSO at Palo Alto Networks, argues that the NHS is quite different. “I’m not sure there is a bigger centralized healthcare system that has been in place as long as the NHS has,” he says. “Today, many medical facilities around the world run more independently, which means they have fewer such open and interconnected processes and systems.

“This has inherently created a far more segmented model that creates some barriers that segments risk.”

Likewise, he adds, with many other health organizations either being privately owned or not having been in place as long, they don’t suffer the same degree of technical debt, which can stifle both IT and cybersecurity innovation.

“The more fragmented the cybersecurity controls, the greater the human workload and so business cost to support them.”

There is also the issue of compliance with regulation – a problem that differs from country to country.

Daniel Kennedy, research director for information security at 451 Research, says: “Brexit didn't save UK organizations from the General Data Protection Regulation (GDPR) which is causing all companies affected (including US companies with EU customers) to undergo serious evaluations of the protections around the more expansive concept of ‘identity’ data covered,” he says.

“We have heard anecdotally in our interviews of some UK organizations whose entire security project schedules were being pushed aside for internal review of GDPR compliance.”

“Flat hospital networks allow infections to propagate from IT to clinical networks much easier than they’d be able to if the network was segmented"

Threats at 70

The challenges of the healthcare sector globally are stark and somewhat different to your average large organization, but what are the big issues going forward for the elderly organization that needs to stay young?

The major threat facing the NHS, and indeed other healthcare systems around the world, is the fact they are now an attractive prospect for cyber-criminals.

Sewart says: “The NHS has benefited, from a cybersecurity perspective, from being disparate, not joined-up and historically holding relatively rudimentary data. It has not, therefore, been a very interesting target. That is all changing now, and I would expect, in the short- to medium-term, some enormous – and potentially scandalous – losses of NHS data and services arising from cyber-breaches, or other information security lapses.”

However, Sewart adds: “We have to accept these losses as a price we pay for progress and a continuing reminder to invest in systems and processes that mitigate the risk of data loss.”

Roberts again raises the issue of the organization’s continued reliance on legacy systems and software, which will leave it open to threats in the future. “This makes keeping [systems] secure, with regular updates, a costly and difficult process, if it’s possible at all. The WannaCry ransomware attack was made possible due to the vulnerabilities associated with these systems.”

Salvatore says ransomware attacks have “skyrocketed” in the industry and out-of-date operating systems leave machines with long lifespans vulnerable.

He adds: “Flat hospital networks allow infections to propagate from IT to clinical networks much easier than they’d be able to if the network was segmented.

“For example, if the hospital café’s POS system is hacked, it shouldn’t be able to spread to the network where Protected Health Information (PHI) data is held.”

It is also a case of a need for downtime to make those upgrades. Salvatore says: “Even if the downtime is brief, it complicates everyday processes at hospitals dealing with fragile patients.

“The ransomware attack on the NHS exemplified this, leaving it unable to address non-critical emergencies.”

NHS Digital is trying to face the issue head on though. “We are helping organizations by procuring technology and services that we know will help improve the overall security posture of the NHS centrally and providing them free of charge to NHS organizations,” says Flynn.

“Windows 10 is a good example of this – making licenses available to NHS-funded organizations for the next five years so they are able to ensure their operating system remains supported as well as taking advantage of the Advanced Threat Protection (ATP) service.”

Perhaps these challenges are worth thinking about if you are looking to get the NHS a birthday present.

What’s Hot on Infosecurity Magazine?