The Cybersecurity Challenge for the NHS
Since the late 1960s, viewers of late-night news on US television have been asked a sombre question: “It’s 10pm. Do you know where your children are?” An edited version of this poster is perhaps currently appropriate for NHS organisations. “It’s 2018. Do you know where Microsoft are on support for your systems? And where your organisation is on cybersecurity? And what’s happening on GDPR?”
The WannaCry ransomware affected one third of English NHS trusts back in May 2017. Experts had long argued that such an attack was a matter of if not when, but the scale of disruption – some healthcare organisations were forced to cancel procedures, others to turn away ambulances – has served as a means of ensuring arguably overdue focus for NHS cybersecurity.
At a national level, money that had been initially earmarked for efforts to make the health service paperfree has already started to be diverted towards bolstering its resilience against cyberattacks. NHS England and NHS Digital have made clear this “reprioritisation” is likely to not only continue but accelerate.
It is perhaps little coincidence that such moves are also being made against the backdrop of legislative change. The EU General Data Protection Regulation (GDPR), which comes into UK law in May, may not actually represent an enormous change in the tenets of data protection but it does threaten much larger fines for certain breaches.
Meanwhile the European Commission’s Network and Information Systems (NIS) Directive is set to be absorbed into UK law that same month, which brings with it financial penalties of up to £17m for healthcare trusts which fail to implement “the most robust” cybersecurity measures.
There is no doubt there is something of a hill to climb here for the NHS. A big part of the issue is legacy software, which continues to dominate the landscape. Microsoft stopped supporting Windows XP back in 2014, and yet it’s been reported the system is still used by as many as 20% of NHS organisations.
Unsupported and unpatchable systems present a real and present danger when it comes to cybersecurity. Yet the traditional model on which the NHS has operated is not necessarily conducive to regularly updating systems and keeping them patched once they have been installed.
Often operating systems and programs have been bought in bulk, as a product. To change or update such a system means a cost in both finances and resources – already-pressurised IT teams having to ensure each and every system is up to date is not an easy proposition.
The annoyances of having to buy new software and manually make sure everything is up to date is perhaps part of the impetus behind the growth of the cloud in our private lives. For many of us, e-mail is no longer something for which we have an installed program on our computer. Instead we access it as a service, via the internet. And few of us will have a CD-ROM or DVD with our word processor or spreadsheet software. We may in fact purchase such systems on a subscription basis and, again, they will be housed in the cloud.
Could such benefits also be realised in healthcare? Consider a shift from organisations buying software products to organisations buying software services. In such a situation, the responsibility for the management of the software moves from NHS IT teams – which in most instances are already over-stretched – to the vendor. That notably means that it becomes the supplier’s responsibility to secure and patch everything.
So could such setups help increase the health service’s resilience to cyberattack, by making it easier to ensure NHS IT systems remain up to date and fully patched? Could security concerns be allayed by partnering with cloud providers which are already taking care of some of the most sensitive government and banking data?
There is no doubt that moving to storing programs and information off site rather than on is a big psychological shift, but in the current context many feel it could be one worth considering.
Certainly, local organisations are going to be expected to make changes to their cybersecurity and data security policies. NHS England chief information officer Will Smart used his review of WannaCry to suggest all boards should appoint a lead on cybersecurity. He also said organisations will soon be expected to comply with the new Data Security Protection Toolkit, and in due course with the government’s Cyber Essentials Plus standard.
To meet increasingly rigorous cybersecurity standards will necessitate multiple conversations within NHS organisations – and perhaps cloud could be part of those discussions.
Claire Read is a freelance writer and editor. She has specialised in healthcare throughout her 17 year career, and has a particular interest in technology. Claire is on Twitter @readthewriter.