Has the NHS sacrificed cybersecurity for convenience?

Written by Matt Lock on 1 September 2017 in Opinion
Opinion

Matt Lock of Varonis argues that an increase in connectivity has left health-service IT vulnerable

May’s WannaCry ransomware attack was a wake-up call like no other. Affecting numerous hospitals across the UK, the cyberattack managed to bring critical services to a standstill; non-urgent operations were cancelled, doctors had to resort to using pen and paper; and patients at some hospitals were advised not to attend A&E departments. 

The scale of the attack has highlighted how a trend towards accessibility, and an increasingly interconnected network, can pose risks, at a time when we’re more reliant than ever on digitised services.  When critical services, including A&E departments, are compromised in this way, we need to take stock and apply the lessons of how to better protect the systems which keep our health service running.  

Connectivity is King 
In the post-mortem following WannaCry, factors such as lack of investment and staff training were cited as the causes behind the debilitating impact to services. Certainly these play a part, but we also need to look more closely at how the systems within hospitals are designed in order to diagnose why, when the attack struck, vital services were suspended so quickly. 

Key to this is that, in recent years, there’s been a trend towards improving accessibility and integration of systems and data so that information can flow freely. The digital transformation that’s been core to the delivery of services brings convenience, but this shouldn’t be at the expense of security. 


Related content​


This approach means that the attack surface expands: when an attack like WannaCry strikes, the shockwaves are felt more widely across the network, and ransomware can spread quickly across interconnected systems. It meant that A&E departments which, in the past, would not have been connected to other hospital systems, were affected.  Added to the challenge is that we’re building on ageing, legacy systems with unpatched and out-of-date software which poses a significant risk.  These are exactly the vulnerabilities that attackers will exploit. 

Essential services should not be vulnerable in this way: we need to isolate critical infrastructure with air-gapped networks that are not connected to the internet, or to any devices that connect to the internet. This reduces the risk vector and means that, when at attack strikes, the impact can be contained.  

We also need to ensure that we get better at protecting the data itself.  When access to data isn’t managed or monitored, organisations are at far greater risk from cyberattacks.  In the case of ransomware, for example, if the compromised individual has global access rights, all the data that they can access will be encrypted.  Setting ‘least privilege’ models for access, so that only those that ‘need to know’ can access sensitive data, ensures greater level of security and protection for personal data. 

If we are to improve security we need to learn the lessons from these attacks; protecting the perimeter is not enough. As the ransomware epidemic will continue to grow, we need to re-examine how we protect vital systems once an attack has breached the outer security defences.       

About the author

Matt Lock is director of sales engineers at Varonis 

Share this page

Tags

Categories

Add new comment

Related Articles

Public sector given March 2019 deadline to ditch .gsi domains and move to public cloud
9 November 2017

Government issues edict instructing public bodies to move email and websites to gov.uk and other new domains

NAO says preventable WannaCry damage shows DoH and NHS must ‘get their act together’
27 October 2017

National Audit Office report also points to a lack of coordination in response to attack, which the government has concluded was conducted by North Korea

From GPs to the DWP – the public sector must ensure digital is not the only answer
19 October 2017

Digital transformation can bring great benefits, but the needs of the millions of people that still need non-digital means of interacting with government must not be overlooked, argues ...