Inoculating the NHS against cyberattacks
Cybersecurity chiefs at Wirral NHS trust say education, collaboration and rapid communication are important protections against viruses, phishing and ransomware. Gill Hitchcock reports.
The cybersecurity group from Cheshire and Merseyside sustainability and transformation partnership (STP) has called in the military to help save it from a cyberattack.
“Without giving away official state secrets, on Thursday someone who is ex-military will describe how they rehearsed state cyberattacks and their responses as a group exercise,” says Paul Charnley, who heads the group and is director of IT and information at Wirral university teaching hospital NHS trust.
“The NHS is connected in all sorts of ways and we have to work on responding in a coordinated manner to help sites affected by a cyberattack.”
Charnley says Wirral is subject to attempted cyberattacks every day. In 2017, it escaped being directly affected by the relatively unsophisticated ransomware attack which disrupted 80 of the 236 trusts in England. Across the NHS, WannaCry led to the cancellation of almost 20,000 hospital appointments and operations. Another trust in the STP, Southport and Ormskirk, was badly hit.
Wirral, however, as an NHS England global digital exemplar (GDE) is a health service technology leader. And central to being an exemplar is that Wirral will share its learning and experience, including about cybersecurity, with other trusts.
As part of the GDE programme, Paul Young was appointed as Wirral’s cyber security project manager. He is understandably cagey about revealing too much about his role: “One of the things we want to avoid at all cost is letting anybody know what defences we have in place, because then it becomes almost like an invitation to exploit any weakness.”
"As part of the regional work we are doing, we are looking at how we might be able to share people at the more expensive end of cybersecurity expertise on a wider basis."
Paul Charnley, Wirral NHS trust
But he describes the focus of his work as “the 3Ps – people, platforms and processes.” The ‘people’ strand is the continual process of educating the trust’s 6,500 staff about cybersecurity.
Young is constantly aware of “insider threat”. This can take many forms.
For example, staff who use phishing to hack into another person’s account and steal data. Or unauthorised use of private health records, perhaps of a relative, friend or celebrity.
He says the trust has defences to provide an early warning and to enable it to investigate and clamp down. “We are building in things like phishing exercises that will give us a feel for how well the lessons are being learned and how we need to continue,” he says.
‘Processes’ means ensuring Wirral has the right cybersecurity policies and that they are implemented across every part of the trust.
Meanwhile, ‘platform’ covers technology. Young sees the NHS-wide procurement of Windows 10 and the advanced protection deployed as part of that, as key. And Wirral is developing a single sign-on solution for clinicians, which is aimed at keeping the trust’s systems more secure.
Medical devices are particularly challenging, says Charnley. Typically, they have a 10-year life span and are less amenable to patching. WannaCry found its way into the operating systems on the older CT and MRI scanners in a range of NHS organisations. As a result, these systems were lost.
“Replacement costs can be £1m-£2m for an MRI scanner, so it’s not something you can do rapidly just because of a cyber issue,” he says. “We have to wrap them in cotton wool and protect them.”
Like most trusts, Wirral has to make difficult investment decisions, which could be between fixing a crumbling building or purchasing new IT infrastructure. Charnley is trying to educate the people who make those choices, members of the trust’s board, about cybersecurity.
At the end of 2018, NHS Digital offered to provide all trusts with cybersecurity experts who would give briefings to boards. Charnley, taking an STP-wide view, is arranging three sessions with for board members from across the 30 organisations. Given the STP’s broad geography spanning two large counties, they will take place in locations aimed at being convenient for all.
Expertise and essentials
When it comes to hiring the right cybersecurity expertise, money is an issue. The NHS is competing for staff with financially-buoyant private sector companies – and in a professional area where demand exceeds supply.
“As part of the regional work we are doing, we are looking at how we might be able to share people at the more expensive end of cybersecurity expertise on a wider basis,” says Charnley.
Is sharing intelligence between NHS organisations important – and could it be better? “The answer is yes to both of these,” he says. “We have a mixture of small and large organisations, some of which can afford more expertise than others.
“We have set up a communications group so we can message each other. If anyone has seen anything suspicious, they suggest responses and is it quickly correctly. I can think of examples where people have shared ways of doing things, like automating patching.”
“We are all starting from different positions and it’s a real challenge,” says Young.
Cyber Essentials Plus is one of the workstreams that is already underway with the of improving overall cybersecurity across the STP. Another is sharing good practice, to get a consistency of approach and governance of cybersecurity across the 30 organisations. The procurement and vendor relations workstream aims to give the STP a single voice in the marketplace which is clear about what it wants to achieve.
Thursday’s talk is part of the business continuity planning workstream. If one part of the STP is hit by a cyberattack, it is very likely that it could impact on others.
“There are multiple examples of finding ways in which we have fewer weakest links,” says Charnley. “The NHS is connected in all sorts of ways. As well as each organisation having its own responsibility, we have a collective responsibility to work with each other.”
Tool is currently in public beta ahead of planned full launch in September
The UK remains to be hit by a cyberattack of the highest level of severity, but NCSC chief reiterates that we should ‘expect it at some point’
New legislation saw the department recording and reporting many more incidents
Work also begins on developing a framework for identity products after Verify enters private ownership