The NHS has never been more digitally dependant; to ensure it continues to function effectively, cyber security has never mattered so much. This was a key takeaway from the recently published Cyber security guide for NHS Non-Executive Directors: Balancing risk.
Produced by John Noble CBE, the Non-Executive Director who leads on information and cyber security for the NHS Digital Board, in collaboration with the cyber teams at NHSX and NHSD, the guide aims to help Non-Executive Directors (NEDs) of NHS Trusts understand how cyber security can affect their organisation and what they need to do to become more resilient to cyber threat.
“Good cyber security is a fundamental element of patient care
and the Boards of NHS organisations have a key role to play
in assuring that IT systems are available and sensitive
patient data is protected.”
John Noble CBE, Non-Executive Director, NHS Digital
The guide reminds us – as was publicly evidenced by the global ransomware attack, WannaCry, some four years ago – that security weaknesses and getting cyber security wrong has serious consequences; it can impact patient care, disrupt health care operations and lead to reputational damage.
Of course, WannaCry wasn’t specifically targeted at the NHS, but a lack of basic IT hygiene – failure to patch, poor infrastructure design, basic IT disciplines that were not followed – exacerbated its impact: it was a lesson to Boards to treat cyber risk no differently from any other business risk.
The NHS nationally has since done some great work – around the Cyber Security Operations Centre (CSOC), centralised delivery of O365/Windows 10 and putting in place technologies to enable national monitoring. Yet the cyber threat too has evolved. As John explains, increasingly sophisticated attacks now threaten healthcare organisations and the vital systems and sensitive patient data that they rely on so heavily to function. Although many attacks have been stopped, significant cyber security vulnerabilities remain – such as unsupported IT operating systems – it’s these vulnerabilities that attackers try to exploit. As the NHS is becoming increasingly digitally dependant, exploitation of such vulnerabilities could have a far greater impact than WannaCry.
Interestingly, and in parallel over the last four years, ITHealth has been working closely with NHS organisations to develop an assurance solution that helps highlight and manage these very vulnerabilities; a solution that enables cyber security to be at the heart of an NHS organisation, and that places easily understood information firmly within the responsibility of the organisation’s Board. Now being used by over 100 NHS Trusts to better manage cyber risk and compliance, the ITHealth Assurance solution continues to evolve according to NHS requirements.
“Cyber Security is the protection of devices,
services and networks – and the information on them
– from theft or damage via electronic means.”
National Cyber Security Centre, 2019
Things Boards must know about cyber security to keep their organisation safe from cyber attack
The guide was produced in the knowledge that not all NEDs are cyber security literate; for many, it can be a daunting subject. It spells out key cyber security considerations to equip NEDs to provide robust challenge and support and to treat cyber in the same way as any other key business risk, such as finance.
As such, the guide states six things that Boards must (note use of the word ‘must’) understand about cyber security to protect their organisation from cyber threat – three of which we firmly believe ITHealth’s Assurance Solution absolutely helps address from the bottom-up.
1. Knowing ‘what your cyber security risks are and how they should be prioritised and mitigated’
This is key to the ITHealth Assurance solution and was the driving force behind why the solution was initially developed.
“Any device taking an IP address, I wanted to know about it.
I knew the information I wanted to present to customers,
but I had no mechanism to do so.”
Mike Press, Chief Technical Officer,
Nottinghamshire Health Informatics Service
NHS organisations lacked security visibility of their IT estates. Information resided on disparate, multiple systems, often managed by different departments and stakeholders, which resulted in information overlap, missing gaps and no clear view of the overall picture; hence, there was little or no assurance.
The ITHealth Assurance Solution was developed, with the likes of Nottinghamshire Health Informatics, to provide clear and concise security visibility related to all IT assets through a single pane of glass; to equip IT leaders and teams with a single tool that pinpoints vulnerabilities, helps target and track remediation, and makes it clearly understood what cyber security risks the organisation is carrying linked to assets at any given time. Featuring vital cyber reports based on real, accurate, current visibility into the state of the network’s hardware and software assets, it aids effective decision-making in terms of managing and prioritising cyber risk.
The security of connected medical and IOT devices is also covered by the solution, which provides asset visibility of these devices and the vulnerabilities affecting them, so risks can be mitigated accordingly.
“What I like best is that this [ITHealth] system takes away any guesswork and opportunity for error…it presents a picture of the network and systems as they really are – making it easier to visualise risks.”
Janet Eivers, Digital Compliance Manager
Northern Care Alliance NHS Foundation Trust
2. Governance – who is responsible for cyber security and how best to structure the discussion between the Board and technical experts
The role of the CISO comes into play here. The Non-Exec Director needs to ensure that they have absolute clarity over who is responsible and accountable for information security within the organisation. They need to know what information the company holds that is deemed sensitive across the full spectrum of operations, as well as what is the current level of risk exposure, and what third parties play a role in the end-to-end data protection chain. A complete picture is required in relation to the assets and infrastructure on the network; if a piece of infrastructure is not known about, how can it be effectively protected? Ultimately the NED’s need to know how the security and data risks within the organisation are being mitigated and what residual risk remains, only then can they take an informed view on the next course of action.
Bridging the gap between the Board and the technical experts is central to the ITHealth Assurance Solution, which aims to facilitate that regular cyber conversation and help the tech experts communicate effectively to the not-so cyber literate board. ITHealth provides monthly reports to IT leaders summarising the organisational cyber security status quo to allow swift dissemination of simple to understand cyber information to be fed directly upwards. The reports succinctly highlight the organisation’s exposure to cyber-risk via ‘meaningful metrics’ to help shape the cyber conversations and inform decisions on how best to manage and prioritise risk.
The reports provided by ITHealth take two forms: a detailed overview and a two-page Executive Summary. Both reports, particularly the Executive Summary, facilitate the structuring of conversations between Board members and technical experts, as each cyber area can be discussed systematically and the remedial progress against each evaluated in turn.
“We value the monthly assurance reports that come with the [ITHealth] solution. They’re easily digestible and professionally produced. We distribute them to senior management as they provide key indicators on the important aspects of our IT estate.”
Sean Devine, Infrastructure Manager
Homerton University Hospital NHS Foundation Trust
3. Which data and systems you care about most, and any potential vulnerabilities that threaten their confidentiality, integrity and availability
The sheer volume of vulnerabilities on a typical network can be a major challenge; it is not possible or feasible to address all vulnerabilities and so understanding which to prioritise is vital.
One of the most recent developments of ITHealth’s Assurance Solution addresses this very issue. ITHealth is now working with experts in incident modelling solutions, to add modelled cyber-attack intelligence to help NHS organisations optimise their patching strategies.
The system that ITHealth is integrating into its solution models the potential impact of cyber-attacks on businesses. It’s a system which provides insight into how cyber-attacks could impact underlying IT infrastructure supporting business operations, enabling organisations to assess their resilience against attack and plan mitigation strategies to counter network threats. The tool uses advanced analytics to identify cyber-attack paths that highlight the vulnerabilities adversaries might exploit to compromise business-critical assets. It can even simulate the beneficial effect of targeted vulnerability patching, supporting more economical patching regimes before any company resources have been committed.
This addition to the ITHealth Assurance Solution will absolutely help identify the vulnerabilities that threaten the integrity and availability of data and systems that the Boards of NHS organisations care most about.
The cyber security guide goes on to suggest key questions that NEDs should ask of themselves and, in turn, that the Board should be asking of its IT security teams with regards to cyber security. Many are questions that if left unposed could have real consequences and potentially impact the safe delivery of patient care.
Here are just some questions that the ITHealth Assurance Solution alone helps address:
- How do we get a holistic view of our IT estate to be cyber assured?
- How do we ensure that our software and devices are up to date in terms of patching?
- Do we know the vulnerabilities that threaten the data and systems we care most about?
- Do we have the relevant tools to allow us to quickly assess our exposure related to NHSD Cyber Alerts, particularly high severity Cyber Alerts when they are released?
- Can we easily track ongoing compliance against Cyber Alerts?
- Do we know where Anti-Virus and ATP is enabled/disabled across our IT estate?
- Are we aware of all end-of-life software throughout the estate?
- Can we easily find the relevant reports and information required for DSP Toolkit compliance?
- Are we aware of our connected medical devices and the vulnerabilities affecting them?
- Is the board receiving the right level of information and ‘meaningful metrics’ in order to be able to challenge / support cyber security effectively?
If you’d like to know more about how the ITHealth Assurance Solution can help you with cyber security and ultimately protect patient care, get in touch for a demonstration.