NHS must ensure £21m cybersecurity fund is spent in the right places

The NHS needs to invest in cyber defences that can adapt to changing threats, argues Malcolm Murphy

Following the unprecedented ransomware attacks on the NHS in May, the Government recently announced that it was to spend £21m on increasing the cybersecurity provisions for 27 major trauma centres across England.

It's clear that, in the wake of WannaCry and Petya, the NHS is facing a serious cybersecurity threat, with unpatched legacy operating systems and a rise in the use of connected devices leaving hospital IT networks increasingly vulnerable. With cyber criminals targeting every new vulnerability as soon as it emerges, NHS Trusts should be operating under the assumption that it's a case of ‘when', and not ‘if' the next attack will occur.

It's important, therefore, that this additional investment is spent in the right places and, while updating and patching operating systems should certainly be a priority, Trusts need to be investing in IT security solutions that will enable them to stay on top of the ever present threat of attack.

No more walls

Traditional IT security systems have long relied on perimeter defences such as firewalls, and intrusion detection and prevention systems. Cybercriminals have evolved, however, and attacks have increased in volume. There were 430 million unique pieces of malware in 2015, for example, up 36 percent on the previous year and continuing to grow. In the face of numbers such as these, singular perimeter defences may no longer be enough.

The smooth running of a hospital relies heavily on constant communication both within and beyond its boundaries, and building thick, impenetrable walls goes against this ethos. Keeping everything out - including insidious actors, hackers, or viruses - is not an option. At the same time, keeping everything in - essentially halting the outward flow of data - is also impossible. The only way to truly bolster security is not by responding with rigid, insular systems that block the flow of information, but with adaptive systems that can learn as threats evolve, moving quickly to discover and tackle threats.

As hospitals become increasingly digitalised, their IT teams must strive to build open systems and networks that enable the bi-directional flow of information, that support a hospital's needs and are simple to manage, all while maintaining a high level of security. Such networks comprise a collection of applications, servers and devices. These elements are the foundation of the infrastructure, and must strengthen each other, maintain the integrity of the foundation, and provide the necessary protection, while always allowing the free flow of information and communication.

For a network to provide protection without compromising this openness requires a responsive and flexible digital infrastructure, rather than a wall or rigid perimeter defences. It must protect the network's integrity, the hospital's assets and data, and its users - patients, clinicians, and administrators - and their devices against malware, hackers, data leaks and other forms of attack.

Consider the alternative

While they may be successful in keeping threats out, walls aren't able to address the points at which they actually originate, thereby allowing hackers to persist and find ever more sophisticated ways of finding new vulnerabilities and backchannels to penetrate.

The alternative to outdated perimeter defences is to analyse contextual pieces of information, building layers of actionable intelligence that seek to understand the causes, behaviour, history and nature of those gaining access to the network.

At the same time, it's important to balance visibility and flexibility.

Hospitals are organic by their very nature, with people constantly moving in and out of the campus. With devices being added and removed on a continuous basis, networks must therefore be scalable, able to adapt and keep pace.

For a hospital to remain secure, it's important to be able to see everything currently on its network, and be able to evaluate any new additions, ensuring that the latest wireless heartrate monitor, for example, isn't introducing malware into the system. This could involve something as simple as automating the process by which that monitor is added to the network, or creating guest permissions for a contractor's device once it's been verified.

Spend it wisely

It's true that a hospital will construct defences around its virtual as well as its physical premises in order to protect those that are working or recovering within. We must, however, accept that all walls do well is isolate and, at best, create an artificial sense of security. We need to accept the very real fact that in today's cyber climate, as demonstrated by the recent ransomware attacks, threats are inevitably going to find their way in.

It is, of course, hugely encouraging that the Government is taking the threat seriously enough to pledge this additional funding to enable hospitals to shore up their defences. Consideration must be given to how investment is used, however. Rather than spending it on building higher walls, it should be used to build layers of defence, visibility and intelligence that are adaptive and responsive, and that enable security teams to see where the next attack is coming from, and prevent it from having any effect.

Dr Malcolm Murphy is technology director Western Europe at Infoblox