UK issues strategy to protect National Health Service from cyberattacks
The British government published on Wednesday its new cybersecurity strategy for the National Health Service, aiming to make the country’s healthcare sector “significantly hardened to cyber attack, no later than 2030.”
The strategy comes in the wake of the WannaCry ransomware attack in 2017, alongside a criminal attack on the software supplier Advanced last year, and multiple incidents affecting the sector on a global basis.
Neither the WannaCry nor Advanced incidents have been alleged to have led to a loss of life, but both prompted crisis management meetings in government and revealed the severe risks that attacks on different services pose to the actual provision of healthcare.
The WannaCry attack in May 2017 disrupted “at least 34% of trusts in England, leading to thousands of canceled appointments and operations” as well as forcing multiple emergency departments to turn patients away. In total it is estimated to have cost the NHS £92 million.
While the strategy said the NHS is today much better protected from untargeted attacks like WannaCry, it cautioned “there remain important challenges necessitating continued cyber security improvements across the sector.”
“The most significant cyber threat the sector faces is ransomware,” the strategy acknowledged, although it warned of “other, less prevalent, threats” that “might include state actors seeking to access sensitive information, or people working in or near to the health and social care sector seeking to misuse their privileged access.”
Following the attack on software supplier Advanced, the department for health began analyzing the critical supply chain, a process that has included “trialling assurance tools, building an engagement plan, and developing criticality criteria.” According to the strategy, the NHS is now developing a new product to map its most critical suppliers by 2024.
Read more: Ransomware incidents now make up majority of British government’s crisis management 'Cobra' meetings
The difficulties facing the government stem from the NHS being not a single body with a single set of policies covering IT, but a decentralized collection of multiple public healthcare systems provided by thousands of separate health and social care organizations — each responsible for its own cybersecurity.
"Working towards a cyber resilient health and social care sector is a significant challenge. The sector is made up of complex, interdependent systems with different risks and needs," said Nick Markham in the foreword to the strategy.
The point of the strategy is to "shape a common purpose across health and social care against the most critical of those risks," added Markham, who is a junior minister at the department for health.
In a joint statement published alongside the strategy, Phil Huggins and Mike Fell — respectively the CISO and the executive director of National Cyber Operations at the NHS — said “every health and social care organization must take responsibility for its own cyber security, with national cyber security teams setting direction and providing central support.”
This support now includes a Cyber Security Operations Centre (CSOC) “monitoring local systems throughout the country for the first signs of cyber vulnerabilities” and enrolling more than 1.67 million devices onto Microsoft Defender for Endpoint to improve visibility of potential threats.
The strategy includes developing “a framework to support local security operations centres - by 2024” although it is not clear whether the framework or the support itself will be in place by then.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.