The NHS have a clear drive to become paperless by 2018. With this reliance on technology, IT will undoubtedly become the backbone of the NHS. With the sheer amounts of highly sensitive digital data on many disparate systems and devices and with varying degrees of user access, how can the NHS ensure that it remains protected? Needless to say, an embarrassing data breach could seriously harm the reputation of any NHS organisation.
ITHealth has been helping the NHS with its IT security challenges for 25 years now. Brett Draper, Managing Director of ITHealth, highlights what he thinks are some of the top IT security challenges that face today’s NHS organisations as well as suggesting actions that could be taken to overcome these.
1. Second generation malware attacks
Digitised healthcare records are extremely attractive to cyber criminals and have always been a key target for malware attacks. As malware tactics continue to advance, they are becoming increasingly more difficult to detect, remove, and recover from. Traditional, signature-based endpoint security is no longer enough to keep the cyber criminals at bay and if malware goes undetected, even for a short period, it can do a lot of damage. Reactive protection is not enough.
Security experts are aware of the challenges and constantly work to develop more effective technologies for cyber protection. Our advice is for NHS organisations to keep their software up to date and review their current anti-virus and endpoint protection to ensure its taking advantage of the newer, more effective signature-less releases of protection technology from its existing supplier.
Read more about how to prevent second generation malware attacks.
2. Ransomware attacks
Several large US hospitals have already been attacked by ransomware – a form of malware that locks down sensitive files on a network and demands money for their unlocking. Given that patient data is ‘valuable’ to attackers due to the mass disruption it could cause if withheld, there is no question that the UK are as vulnerable to this sort of attack. The NHS must learn from its overseas counterparts and be prepared.
A robust back-up strategy, including real-time back-ups and offsite back-ups, is essential. Given the sophistication of these attacks, existing security systems (anti-virus, next-generation firewalls, IPS/advanced threat protection, email/web gateways) must also be implemented and configured correctly.
User awareness training (knowing the do’s and don’ts) of suspicious emails also continues to be imperative.
Read more about how to stay protected against ransomware.
3. Securing access for a mobile workforce
Given the ever-growing mobilisation of the NHS workforce, providing anywhere/anytime network is essential. The NHS now have sensitive data spread across a number of devices – not just servers and desktops, but also laptops and mobile devices. All of these devices require secure access to key systems and highly sensitive patient information daily, yet secure remote access from these devices clearly poses a challenge to the NHS.
As well as implementing a secure VPN client, we also recommend introducing two-factor authentication (2FA). Passwords can now be cracked at alarming rates. Multi-step verification provides an additional layer of security to the traditional password and double-checks that a user’s identity is legitimate. There are many remote access solutions that use 2FA in the market place, however you can read more about ITHealth’s Secure-IT solution.
4. Bring Your Own Devices (BYOD)
There is increasing adoption of BYOD by medical professionals. However, the difficulty with this is having full visibility of the security status of each of these devices. With unknown security of any one device, how can NHS IT teams protect any patient data contained therein, as well as ensure that the device isn’t breaching NHS policies?
Securing BYOD begins with the same security requirements that should be applied to devices already on the network: enforcing strong passwords, anti-virus protection and data loss prevention (DLP), full disk encryption for disk, removable media and cloud storage, mobile device management (MDM) to wipe sensitive data when devices are lost or stolen, and application control.
Read more about solving BYOD and 5 simple tips for securing your mobile workforce.
5. Lost / Stolen hardware
How many stories have you heard of laptops and mobiles being stolen, USBs sticks going awry, or CDs being left at bus stops? Unfortunately, this situation is all too common and continues to remain a challenge for the NHS. NHS organisations must have clear data loss prevention (DLP) processes in place to prevent highly sensitive data getting in the wrong hands – to ensure their reputation is protected and patient trust remains undamaged.
Disk and device encryption is the best defense against this type of data loss, as well as MDM and the ability to wipe data remotely.
Read more about lost/stolen hardware and encryption.
6. Asset awareness
Another challenge for NHS organisations is knowing the entirety of what resides on the network. Without a complete inventory of software and endpoints, how can you ensure the right security is implemented to ensure all that should be protected is protected? We highly recommend using an endpoint manager to regularly inspect and audit your entire enterprise to uncover, analyse, and remediate abnormalities that could result in expensive incident response efforts. There are many endpoint managers in the marketplace, Promisec being one example.
Yes, the creation and protection of passwords continues to be a key issue for any organisation, including the NHS. Strong and complex passwords that are changed often are still imperative. Never reuse your password on another site or account and don’t write them down anywhere.
If creating a large number of complex, hard to guess passwords is a challenge consider using a password manager tool, such as Dashlane 4, which will leave you with just one master password to remember. Better still, for NHS organisations, we highly recommend implementing Single Sign-On functionality to allow clinicians to sign on once and gain access to all of the systems they require access to. Not only does this increase security, it also hugely benefits the productivity of staff due to reduced admin and reduced calls to IT
8. Internal Threats
NHS IT departments invest a lot of time and money in preventing outside threats to their systems, yet internal staff remain one of the biggest security threats. Educating users about how to identify suspicious emails and websites and knowing when it’s not okay to click on that mouse is essential. It’s also important to know who amongst your staff is accessing data that they shouldn’t be. Patient record snooping is rife. However seemingly harmless, it can result in an embarrassing data breach. Fortunately, there are new software technologies on the market (such as FairWarning). These technologies consistently analyse who has been accessing what and can produce regular audits, as well as alerting IT teams to unusual behaviour so that any potential issues can be dealt with straightaway.
Of course, we all know that there is no such thing as a panacea when it comes to protecting online assets. Security threats will continue to evolve and technologies will advance accordingly. However, if the NHS is to achieve its target of becoming paperless by 2018, then addressing the above eight challenges is a good starting point.