As the digital age is pushing the NHS more towards the paperless route, one security manager saw the need to get a better grip on visibility and information about the network.
Speaking to Infosecurity, Tony McGivern, security manager at County Durham & Darlington Foundation NHS Trust, said the local network he looks after covers the Durham area and borders Newcastle and North Yorkshire, consisting of 2 million patient contacts, 8000 dedicated staff and three ‘big’ hospitals along with enabling 130,000 A&E attendances, 600,000 district nurse appointments, 43,000 operations, 67,500 emergency admissions and 390,000 radiology exams a year.
He said: “The project within the organization was to review everything we did from a security perspective, and as the digital age is pushing us more along the paperless route, how we hold and manage data all falls under the informatics bracket. What we were not able to do was look back and see what happened.”
He explained that after the WannaCry incident in May, his trust was mostly unaffected as a full overview had taken place in the preceding three months ensuring that endpoint protection was kept up-to-date.
“As we know, things were discovered on an hourly basis and while it is fair enough to run reports on the SIEM to see a conversation with the indicators of compromise, to have detection automated in the background in real time meant that the IOC was identified, and it gave us a great starting point from where we go on from.”
Enabling that detection was UK start-up Xanadata, a “data analytics solutions provider who develop systems to extract valuable insights from unstructured data.” McGivern explained that he was able to run data through Xanadata and once all of the security tools were installed, introduce all new security tools into a clean environment.
Did the use of such a tool give him better answers on how secure he was? He explained that he uses a popular SIEM which “gave confidence and assurance over the WannaCry weekend.
“One reason we were excited about Xanadata’s product moving forward is we use and leverage information and intelligence outside of one vendor and integrate with thousands of intelligence agents,” he said. “We are very happy with our vendors and have global threat intelligence, and coupling that with a neighboring organization and going through the Xanadata suite gives us full confidence that we would have picked it up.”
Asked if there is data sharing among NHS trusts, McGivern said that there is data provided by NHS Digital on breaches etc, but if someone mis-reported a breach, Xanadata can be used to go back in time and see if it did happen.
“Our greatest fear is not loss of data that is punishable by fines, but manipulation of data and if we didn’t know if it happened it would be significantly more difficult”. He added that ICO or GDPR fines are one consideration, but if an attacker called and said that they had manipulated all of the blood stocks, it would take time to check it all, but now they can use this to check and look back.
Xanadata were formed in 2014 and focus on accelerating data analytics. Founder and CEO Richard Benson told Infosecurity that the tool gives users an idea of their state of security. He said that machine learning is used on databases to determine what is bad, to pull out ‘misbehaving IP addresses’ which can be flagged as being bad and determine from the data what is actually bad. He also explained that it does not matter what other security software is being used, as all this requires is log data to minimize the cost of analysis.
The ability to retrospectively investigate is what caused so many headaches for IT managers around the time of the Heartbleed bug. If there is a tool that can demonstrate the state of current security and that will allow the manager to determine and state that position, then many will feel the benefit.