Cyber security was thrust into the spotlight when a ransomware attack on a major NHS IT provider threatened to disrupt digital services such as patient check-ins and NHS 111.
A ransomware attack is where hackers take control of IT systems to steal data and demand a payment from their victims to recover it.
And while the Birmingham-based firm at the centre of the attack refused to confirm whether it had negotiated with the hackers or paid a ransom, it did indicate that a period of three to four weeks would be needed to fully recover.
At the time, a spokesperson for the NHS said:
“…The NHS has tried and tested contingency plans in place including robust defences to protect our own networks, as we work with the National Cyber Security Centre to fully understand the impact.”
Much of that defence work comes from the NHS Digital’s Data Security Centre, which is the technical and delivery lead for developing cyber security products and services and monitoring security threats to NHS networks and IT systems. Staff are asked to raise alerts with the centre if they detect something out of the ordinary.
The ransomware incident documented above is a clear example of the potential damage and chaos that a cyber-attack can inflict and puts the magnitude of cyber security under the microscope.
THIS – at the vanguard of cyber security
The Health Informatics Service (THIS) is at the vanguard of cyber security for its host trust, the Calderdale and Huddersfield NHS Foundation Trust (CHFT) and 59 clients across the healthcare sector, upholding the principle that confidentiality is the cornerstone of good medical practice and is central to the trust between doctors, colleagues and patients.
Its Cyber Security Team helps to protect approximately 15,000 devices used by 19,000 people working within CHFT and a spectrum of clients ranging from prison healthcare service providers to GPs’ surgeries.
THIS is the only NHS informatics service to hold three ISO standards relating to cyber security and data protection: ISO 27001 Information Security Management, 9001 Cyber Management and 20000-1 Information Technology Service Management. It is compliant with the NHS Digital/NHS England Data Security and Protection Toolkit (DSPT) and its cyber security training is NHS Digital/NHS England mandated.
To put its capabilities into context, in one two-month period, THIS’ host trust was the target of 46,600 phishing emails and 34,600 spam emails that resulted in 1,658 malicious websites being blocked, and the thwarting of 1,432 malware attacks.
Building up your security posture
How much protection a healthcare organisation requires depends on the amount and type of data it handles. Those dealing with patient data must be particularly well-prepared to handle a cyber-attack.
Paul Glover, of THIS’ Cyber Security Team, says that while there is no ‘silver bullet’ that can protect an NHS trust or healthcare organisation from a cyber-attack, he recommends the National Cyber Security Centre (NCSC) 10 steps to cyber security as a good starting point. It includes:
- Risk management – taking a risk-based approach to securing data and systems.
- Engagement and training – collaboratively building security that works for the people in your organisation.
- Asset management – knowing what data and systems your trust or organisation have and what purpose they support.
- Vulnerability management – keeping systems protected throughout their lifespan.
- Identity and access management – control who and what can access your systems and data.
- Data security – protect data where it is vulnerable.
- Logging and monitoring – designing systems that can detect and investigate incidents.
- Supply chain security – collaborate with suppliers and partners. Security should be built in – not bolted on.
Paul Glover:
“The 10 steps are a good place to start building up a robust security posture. But if you then need to prove to your customers that you’re at that level of security maturity, you could look at acquiring Cyber Essentials*.”
(*A UK certification scheme designed to show an organisation has a minimum level of cyber security protection, which is achieved and maintained through annual assessments.)
The five pillars of Cyber Essentials – which is backed by the government and the NCSC - are:
- Firewalls – boundary firewalls and internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.
- Secure configuration - failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
- User access control - it is important to keep access to your data and services to a minimum. This should prevent a criminal hacker from being presented with open access to your information.
- Malware protection - it is vital that you protect your business from malicious software, which will seek to access files on your system.
- Patch management - criminal hackers exploit known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.
Paul Glover:
“If you then have the time and resource, you can strengthen further by looking at certifications like ISO/27001 Information Security Management."
“This is a good place to be, but it's also being aware that getting to that level of maturity doesn't mean your organisation is completely impenetrable from any kind of cyber-attack. It means you're in a situation where the impact of such an attack is likely to be less than it would’ve been if you'd done nothing."
“The other part of the equation is understanding that if, or when, you are attacked what is your response going to be? Are you prepared to think that far ahead? What does your incident response plan look like? And what does your business continuity plan look like? How are you going to keep running your organisation while it’s suffering from a cyber-attack?"
“A lot of organisations think there is nothing to worry about because they’ve never been attacked before. It's that type of mentality that we need to overcome. There have been incidents in the past that have affected other NHS organisations but not us, and that has been due to the security posture we’ve had in place as part of our digital maturity.”
Keeping data safe – user awareness
THIS has accreditation to provide training on all aspects of threat containment and secure email compliance through NHS Digital’s secure email standard DCB1596 certification that ensures sensitive and confidential information is kept secure.
Paul Glover:
“Any e-mail that comes from outside the organisation typically contains a warning banner that appears at the top of the e-mail saying this is external, be cautious with malicious attachments and malicious links that you click on. We try to drill it into all staff that if you're not certain, alert our team and we can check it for you."
“To be registered as a secure e-mail provider between health and social care organisations you must have the DCB1596 certification from NHS Digital. It ensures that malicious attachments get blocked, there's anti malware and spam controls in place, and that the general well-being and security of the of the e-mail environment is up to a certain standard."
“We put customers through that accreditation. The threat landscape is evolving all the time and it’s important there is user awareness of staying abreast of changes and being aware of how you can keep your organisation safe.”
Microsoft Teams is the preferred communication platform for CHFT as it is UK-hosted, General Data Protection Regulation (GDPR) compliant, ISO/27001 compliant and provides integration with other trust software such as Outlook and ultimately Office 365.
THIS’ has put in place some mandatory procedures to ensure Personal Confidential Data (PCD) is kept secure. These include:
- Minimising the use of PCD.
- Implementing security measures for accessing Teams on personal devices.
- Not extracting or storing PCD on non-Trust, personal or any other storage device.
- Working from home guidelines.
- Ensuring recorded Teams meetings comply with GDPR and Information Governance policy.
Back-up plan and incident response
Malware is evolving constantly. Paul Glover likens it to different variants of a virus and how symptoms can change with different mutations.
He says:
“What antivirus protection used to do was look at the traits of a malware attack, such as its name and location. But what the creators do now is to create it so that it changes every single time it infects a PC."
“We use next generation antivirus software that looks at the behaviours of the malware instead of looking at the signature. So, if there is strange behaviour it quarantines or isolates that device rather than focusing on the specific signatures and qualities of the of malicious piece of software. Modern antivirus firewalls, intrusion prevention systems, antivirus web security and email security help us to stay ahead of the game.”
Backing up data is an important step to keep it safe, as is having an incident response strategy to be as well prepared as possible should the worst occur.
Paul Glover:
“An organisation might have done all it can to protect itself, but once the malware has found a way past it and you are being attacked. How would you deal with it then?"
“We plan for incident response by doing exercises and testing back-up and restore plans, making sure all the users are aware of what is necessary. Our clients can expect to receive extensive support and training on the matter. A client can take all the technology available, but if they don’t have the skillset or resources to manage it, then it creates a bigger problem in some ways.”
Recognising the threat and where it comes from…
A common perception of a cyber security attack is that of hackers breaking through firewalls to wreak havoc.
But sometimes the threat can come from close to home.
Paul Glover:
“You’d like to think it wouldn’t happen, but there is a threat that comes from inside an organisation. NHS staff have access to some critical information. Someone could sell data or leak it to the internet."
“But it could happen unwittingly. Social engineering (the term used for a broad range of malicious activities accomplished through human interactions to trick users into making security mistakes or giving away sensitive information) is another big risk."
“Hackers can manipulate people to either gain access to information or manipulate an individual into doing things they wouldn’t normally do. So, that could be ringing up a GP site and pretending to be from IT support to gain access to the system, or to gain information. It could be an e-mail trying to steal credentials or trying to get the recipient to open a weaponized document."
“Staff can be the biggest weakness in an organisation because they don’t have the training on what to look out for, or to understand what the threats are. It could be as simple as spotting spam emails. If you receive an e-mail and don't know the sender, don’t click on any links. Don't open any attachments, it's that kind of mentality you need to adopt.”
Saving data to the cloud, or on the premises?
Digital health solutions delivered by THIS for CHFT have contributed to its status as a ‘digitally aspirant’ trust, making it one of the most digitally mature trusts in England. However, not all trusts and healthcare organisations have progressed their digital journey to that extent.
But where is the safest place for hospital or healthcare data? There isn’t a definitive answer, says Paul Glover:
“It depends on your organisation’s security posture and what skills they have available. If they have a team to handle incidents and responses, then a cyber-attack can be contained in-house. It’s also down to what the users want. If they want to be able to work from home, a coffee shop, a hotel, then the cloud might be a better solution for them."
“But in a hospital environment, users must come to work to do their job, so they must physically log on to access data. In that case, it makes sense to use storage devices on the premises – providing there are adequate physical security measures in place. Essentially it depends on the needs of the customer.”
A helping hand
All NHS trusts and healthcare organisations receive advice and alerts from the NCSC and NHS Digital’s Data Security Centre to keep clinical and patient data safe by flagging up when vulnerabilities have been detected. NHS mandatory training includes cyber security too.
In addition, THIS’ award-winning Information Governance service – an enabling service to ensure data is handled safely and stored securely - provides consultancy, training and learning products to help its healthcare clients handle personal and corporate data legally, securely and efficiently.
THIS holds ISEB qualifications in data protection, information security, risk management and freedom of information. It can ensure compliance with UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 through its Data Protection Officer service.
All services are externally certified to Information Security Management System standards ISO 27001, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organisation.
It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.
Here are some of the other key principles you need to be aware of to help keep data safe:
General Data Protection Regulations (GDPR)
The Data Protection Act contains a set of principles that organisations, government and businesses must adhere to in order to keep someone’s data accurate, safe, secure and lawful.
The principles ensure data is:
- Only used in specifically stated ways.
- Not stored for longer than necessary.
- Used only in relevant ways.
- Kept safe and secure.
- Used only within the confines of the law.
- Not transferred out of the European Economic Area.
- Stored following people’s data protection rights.
Freedom of Information Act
Provides public access to information held by public authorities, which includes the NHS. It does this in two ways:
- Public authorities are obliged to publish certain information about their activities.
- Members of the public are entitled to request information from public authorities, which includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.
However, the Act does not give people access to their own personal data (information about themselves) such as their health records.
The Data Security and Protection Toolkit (DPST)
Enables organisations to measure and publish their performance against the National Data Guardian's 10 data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Providing protection against cyber sabotage
The three to four weeks needed to recover from the impact of the ransomware attack we cited at the beginning of this article is valuable time that no NHS healthcare organisation can afford to lose. Add in the threat of hackers creating ever more sophisticated malware, social engineering and even a cyber security breach unwittingly created by a member of staff; the enormity of keeping data safe is plain to see.
The Cyber Security Team is part of THIS’s professional services division, which provides consultancy, training and learning products for the whole of the Information Governance arena.
Its operatives reflect NHS values of professionalism, service and accessibility. They are there to explain options, provide solutions and serve diverse clients.
In addition to its core services, THIS offers bespoke solutions tailored to the needs of each customer. It can combine a number of services into a package and discuss other service solutions that your organisation may benefit from.
Contact us to discuss your requirements.