Securing NHS Trusts: what cyber solutions should be prioritised?
Four security vendors give their view on staffing issues, zero trust and threat intelligence
All of England is now covered by one of 42 NHS Integrated Care Systems (ICSs). ICSs are designed to integrate medical and care services across a geographic area in partnership with local authorities and other organisations. ICSs have a degree of autonomy when developing strategies to best suit the people in the region they serve, including around choice of technologies.
In October, the government announced £2.1 billion of funding over the next three years to support digital technology "so hospitals and other care organisations are as connected and efficient as possible".
But along with connectivity, something that should be high on the list of priorities for ICSs and NHS Trusts is IT security. There are opportunities and dangers in increased autonomy here, the former in the shape of being able to make decisions more quickly, the latter in that new silos may emerge, with weak points in the gaps between them.
We asked four suppliers with experience of working in the NHS as contractors or as part of an ICS for their 'vendor-neutral' view of the security priorities in NHS trusts.
The cyber skills shortage
Mark Bishop, director of technical services at Cloud21, a service provider that works mainly with the NHS and local government, says that one issue that needs to be considered is the number of specialists that can be brought to bear.
"NHS IT teams do not frequently increase in size no matter the number of additional workloads they take on, and so it means they have to focus," he said. "Until now, Trusts have largely only been able to address basic security controls around endpoints, data centre infrastructure and network perimeters."
With more and more activity happening in the cloud, there's a need to bridge the gap with local on premises systems and those hosted by cloud providers. This means more automation, increased use of vulnerability scanning and remediation, SIEM and privileged access management tools, and a continued emphasis on training.
But in a competitive skills market, public sector organisations can find it hard to attract and retain cyber skills, Bishop went on.
"We are working with many NHS organisations at the moment, and the bandings they are allowed to recruit cyber security staff under mean that they are struggling to attract the right skills into the right roles.
"The market is so hot for security staff and salaries are very competitive, something the NHS has never been able to compete with. This is something the ICSs should look to relieve by working to support the Trusts in building regional cyber security teams that the Trusts fund collaboratively."
Colin Fernandes, EMEA product director at data analytics firm Sumo Logic, believes the NHS could improve the way it welcomes new joiners.
"The industry as a whole has to do a better job around supporting new entrants into the world of security. There are talented people out there that we can support and get into the profession, but we all have to be willing to find those people and help them benefit professionally as well as personally," Fernandes said, adding that he's like to see a ‘secure by default' approach taken to investment priorities.
Staying ahead in the arms race
The most feared threat is ransomware. The NHS, after all, was one of the organisations that bore the brunt of WannaCry back in 2015, and since then ransomware gangs have viewed the health sector as a soft target.
"Hands down, ransomware is the biggest cyber security threat facing NHS Trusts," said Keegan Keplinger, research and reporting lead at eSentire Threat Response Unit.
"UK healthcare officials must remain diligent in protecting the IT systems which are critical to running NHS Trusts."
But ransomware is just one type of threat that exploits vulnerabilities. It is not enough to be reactive in defence, rather organisations of all types, but particularly complex entities like an NHS Trust need to stay ahead of emerging threats, with a key approach being to create a threat intelligence team to monitor the changing threat landscape, said Keplinger. Trusts will also likely benefit from a deployment team to operationalise that threat intelligence, and a Security Operations Centre (SOC) to actively monitoring the organisation's network and endpoints.
And these teams should be continuously working to improve their processes in order to stay ahead in what is, essentially, an arms race in which well-funded cybercriminals are able to quickly integrate new exploits and refine their specialisms and techniques.
"It is often the boring aspects of business, like business flows, user interfaces, and lack of integration that slows these processes down. Threat actors have an advantage here, a modular ecosystem that increases the effectiveness of these intermediate processes," Keplinger noted.
The unpredictable way that threats evolve also gives an advantage to the attacking side.
"A vulnerability previously thought to be low risk suddenly becomes exploitable, would your teams be aware and be able to change their priorities at short notice?" asked Matthew Middleton-Leal, VP EMEA at security vendor Qualys.
Given the rapidity of change as well as the move to hybrid cloud architectures, Middleton-Leal said he'd like to see a move to zero-trust networking treated as a priority, along with IT asset inventory management, a related concern.
"NHS Trusts need a complete asset inventory to ensure their prevention and detection capabilities are successful," he said.
Some regions have had ICSs for a while, some have only recently adopted them. Like any reorganisation the new system is bound to take some time to bed in. In the meantime, to avoid new security cracks opening up, information sharing is key, urged Cloud 21's Bishop.
"Never be afraid to ask another NHS Trust or suppliers for additional support or second opinions on cyber security issues. A problem shared is a problem halved. Take the invention of the NHS Future's Cyber Associates Network - this has produced a strong platform for exactly this purpose."