Has the NHS sacrificed cybersecurity for convenience?

Written by Matt Lock on 1 September 2017 in Opinion

Matt Lock of Varonis argues that an increase in connectivity has left health-service IT vulnerable

May’s WannaCry ransomware attack was a wake-up call like no other. Affecting numerous hospitals across the UK, the cyberattack managed to bring critical services to a standstill; non-urgent operations were cancelled, doctors had to resort to using pen and paper; and patients at some hospitals were advised not to attend A&E departments. 

The scale of the attack has highlighted how a trend towards accessibility, and an increasingly interconnected network, can pose risks, at a time when we’re more reliant than ever on digitised services.  When critical services, including A&E departments, are compromised in this way, we need to take stock and apply the lessons of how to better protect the systems which keep our health service running.  

Connectivity is King 
In the post-mortem following WannaCry, factors such as lack of investment and staff training were cited as the causes behind the debilitating impact to services. Certainly these play a part, but we also need to look more closely at how the systems within hospitals are designed in order to diagnose why, when the attack struck, vital services were suspended so quickly. 

Key to this is that, in recent years, there’s been a trend towards improving accessibility and integration of systems and data so that information can flow freely. The digital transformation that’s been core to the delivery of services brings convenience, but this shouldn’t be at the expense of security. 

Related content​

This approach means that the attack surface expands: when an attack like WannaCry strikes, the shockwaves are felt more widely across the network, and ransomware can spread quickly across interconnected systems. It meant that A&E departments which, in the past, would not have been connected to other hospital systems, were affected.  Added to the challenge is that we’re building on ageing, legacy systems with unpatched and out-of-date software which poses a significant risk.  These are exactly the vulnerabilities that attackers will exploit. 

Essential services should not be vulnerable in this way: we need to isolate critical infrastructure with air-gapped networks that are not connected to the internet, or to any devices that connect to the internet. This reduces the risk vector and means that, when at attack strikes, the impact can be contained.  

We also need to ensure that we get better at protecting the data itself.  When access to data isn’t managed or monitored, organisations are at far greater risk from cyberattacks.  In the case of ransomware, for example, if the compromised individual has global access rights, all the data that they can access will be encrypted.  Setting ‘least privilege’ models for access, so that only those that ‘need to know’ can access sensitive data, ensures greater level of security and protection for personal data. 

If we are to improve security we need to learn the lessons from these attacks; protecting the perimeter is not enough. As the ransomware epidemic will continue to grow, we need to re-examine how we protect vital systems once an attack has breached the outer security defences.       

About the author

Matt Lock is director of sales engineers at Varonis 

Share this page



Add new comment

Related Articles

Government advises that NHS data can be safely hosted in the US and other countries
20 January 2018

NHS bodies and Department of Health and Social Care issue guidance clarifying that numerous offshore locations are considered a safe home for health and social services data


Regulator urges government to mandate NHS compliance with surveillance camera code
17 January 2018

Commissioner Tony Porter tells PublicTechnology about continued efforts to get the Home Office to recognise the need for a surveillance camera code of practice that applies to NHS and...

GDS offers £118k in search for leader of newly created digital Brexit team
16 January 2018

Organisation building centralised team to help Whitehall manage the digital implications of leaving the EU while maintaining longer-term transformation goals


Reform digital head on the potential AI backlash and why service design is ‘not just about the citizen’
10 January 2018

PublicTechnology talks to the think tank’s digital and data specialist Eleonora Harwich about how AI could help eradicate disparity in the quality of healthcare and why GDS needs to focus...