Has the NHS sacrificed cybersecurity for convenience?

Written by Matt Lock on 1 September 2017 in Opinion

Matt Lock of Varonis argues that an increase in connectivity has left health-service IT vulnerable

May’s WannaCry ransomware attack was a wake-up call like no other. Affecting numerous hospitals across the UK, the cyberattack managed to bring critical services to a standstill; non-urgent operations were cancelled, doctors had to resort to using pen and paper; and patients at some hospitals were advised not to attend A&E departments. 

The scale of the attack has highlighted how a trend towards accessibility, and an increasingly interconnected network, can pose risks, at a time when we’re more reliant than ever on digitised services.  When critical services, including A&E departments, are compromised in this way, we need to take stock and apply the lessons of how to better protect the systems which keep our health service running.  

Connectivity is King 
In the post-mortem following WannaCry, factors such as lack of investment and staff training were cited as the causes behind the debilitating impact to services. Certainly these play a part, but we also need to look more closely at how the systems within hospitals are designed in order to diagnose why, when the attack struck, vital services were suspended so quickly. 

Key to this is that, in recent years, there’s been a trend towards improving accessibility and integration of systems and data so that information can flow freely. The digital transformation that’s been core to the delivery of services brings convenience, but this shouldn’t be at the expense of security. 

Related content​

This approach means that the attack surface expands: when an attack like WannaCry strikes, the shockwaves are felt more widely across the network, and ransomware can spread quickly across interconnected systems. It meant that A&E departments which, in the past, would not have been connected to other hospital systems, were affected.  Added to the challenge is that we’re building on ageing, legacy systems with unpatched and out-of-date software which poses a significant risk.  These are exactly the vulnerabilities that attackers will exploit. 

Essential services should not be vulnerable in this way: we need to isolate critical infrastructure with air-gapped networks that are not connected to the internet, or to any devices that connect to the internet. This reduces the risk vector and means that, when at attack strikes, the impact can be contained.  

We also need to ensure that we get better at protecting the data itself.  When access to data isn’t managed or monitored, organisations are at far greater risk from cyberattacks.  In the case of ransomware, for example, if the compromised individual has global access rights, all the data that they can access will be encrypted.  Setting ‘least privilege’ models for access, so that only those that ‘need to know’ can access sensitive data, ensures greater level of security and protection for personal data. 

If we are to improve security we need to learn the lessons from these attacks; protecting the perimeter is not enough. As the ransomware epidemic will continue to grow, we need to re-examine how we protect vital systems once an attack has breached the outer security defences.       

About the author

Matt Lock is director of sales engineers at Varonis 

Share this page




Please login to post a comment or register for a free account.

Related Articles

NHS app to widen users’ access to health records
13 June 2022

Strategy makes commitment to allow patients to view a greater range of information

‘Treated as suspects’ – ICO calls for end to excessive demands for personal data of rape victims
31 May 2022

Information commissioner tells forces to immediately stop gathering info in a manner he claims is putting a major dent in conviction rates

Government urged to commit to devolution to drive innovation and levelling-up
29 June 2022

Think tank report identifies benefits of city mayors, but finds many local officials are frustrated with current interactions with Whitehall

Covid inquiry: Government lawyers sign £23m deals for document disclosure
27 June 2022

Long-term contracts cover data from a range of specified departments