The UK’s National Health Service (NHS), a unified healthcare organization with a broad collection of moving parts, is working to provide a good cybersecurity baseline for the groups it supports during the COVID-19 crisis. That effort is complicated by limited budget and the need to deliver healthcare services without disruption. New support services and a reformed WannaCry-inspired approach to security is helping them meet that challenge.
Each NHS trust has its own board, priorities and IT organization; under the trusts are hundreds of general practitioner (GP) offices, social care facilities, pharmacies and other healthcare services and providers. The level of cybersecurity maturity among those entities varies, says John Noble, non-executive director at NHS Digital. “The requirements for a GP practice are very different from that of an acute trust, and you've got this classic problem in healthcare, as you have in any organisation, [around] getting that balance between security, cost and usability.”
Failed NHS centralization, WannaCry showed security flaws
Previous efforts to balance centralization versus independence, have left the NHS with burned fingers. The 2003 NHS National Programme for IT proposed a single, centrally mandated electronic care record for patients and healthcare organizations. Dubbed in the UK press as “The greatest IT disaster in history,” the project was cancelled in 2011. That failure led to the NHS leaving each trust to mind its own IT infrastructure.
The impact of WannaCry on the NHS showed that the independent model had major issues. The 2017 ransomware attack affected at least 81 of 236 NHS trusts as well as 603 primary care and other organisations, including 595 GP offices. Some 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – were affected while patient data and email services were unavailable. Cost estimates for the attack have been pegged at around £92 million.
“What became very clear through WannaCry is that we had almost gone too far in giving all the responsibility to trusts but not giving them enough support and guidance,” says Noble, who has responsibility for information assurance and cybersecurity.
Locally managed, centrally supported cybersecurity
Following the failure of the National Programme for IT, NHS Digital took over operations for the NHS Spine network, the NHS website, the Electronic Prescription Service, and NHSMail. Today, the body provides not only support and guidance but also free centralized services to trusts and other healthcare providers.
“What we've seen since WannaCry is much stronger direction from the centre and much more support,” says Noble. “You can't just be telling people what to do, you've got to support them and you've got to give them the resources to be able to get on and improve security.”
It can be easy for some trusts to let IT spend fall by the wayside to focus more on providing immediate care for patients. “For a trust which is facing really big budget issues, chances are that their IT spend is going to be low, and therefore they're carrying a lot of legacy and carrying a lot of risk,” says Noble. “Their cybersecurity may be underinvested in, and therefore you've got a host of issues which need to get addressed.”
The UK Government has invested £60 million in healthcare cybersecurity since 2017 and WannaCry, and in October 2018, the Department of Health and Social Care (DHSC) announced plans to spend over £250 million by 2021 to protect key services from cyberattacks. Much of that support has come through NHS Digital.
Since Wannacry, NHS has taken steps to help raise the capabilities and cybersecurity standards through centralized support and services trusts can adopt as they see fit.
In 2017 a NHS Security Operations Center – now known as the Data Security Centre (DSC) – to spot and respond against threats to the NHS network and provide trusts with threat intelligence. NHS Digital also provides on-site guidance via a troubleshooting team, as well as helping identify NCSC-approved partners if required. NHS Digital also provides on-site assessments, vulnerability testing, and network monitoring.
A more recent NHS Digital service, Secure Boundary is a perimeter security solution to enable secure access for NHS workers and to provide monitoring. “This will allow your staff to access the internet securely from any NHS device,” says Noble. “Then you've got a whole host of different capabilities – next generation firewalls, advanced logging, DNS – that's been provided for free to trusts.” This saves money because NHS can negotiate price on a national rather than regional level.
Likewise, the DHSC negotiated a deal with Microsoft so that trusts could replace legacy operating systems (a main route in for WannaCry) with Windows 10 for free. It also gives trusts a better view of device security with Windows Defender Advanced Threat Protection.
More than 100 NHS boards have completed GCHQ-accredited cybersecurity training since WannaCry struck. Noble adds that NCSC’s Board Toolkit for the NHS contains additional content around security issues such as ransomware and backups. NHS Digital has also run a national cyber communications and awareness initiative called the Keep I.T. Confidential campaign; since its launch in September 2019, over 340 organisations have downloaded the material. The Cyber Associates Network is a community of cybersecurity experts who share best practices and build cyber-resilience in local organisations.
NHS trusts have been asked to meet the Cyber Essentials Plus government standard, and NHS Digital has launched a Data Security and Protection ToolKit (DSPT), a self-assessment tool all organisations that access NHS patient data and systems must use to assure that they are practicing good cyber hygiene. Since its introduction, over 27,000 organisations have completed the DSPT and 97% of organisations meeting the National Data Guardian’s 10 Data Security Standards.
A key part of that support is bringing in government-approved help from beyond the NHS, often from the National Cybersecurity Centre (NCSC).
“The NCSC is providing both the normal TTPs and IOCs but it's also supplying expert advice on things like the architecture. We're doing work on some of the APIs relating to the COVID-19 tracking app,” says Noble, who is a former NCSC director.
The NCSC shares threat information with NHS Digital, which shares it with the DSC). From there it is pushed out the NHS trusts via the information sharing portal. The DSC sends out weekly routine alerts. More urgent alerts go to the entire network or specific trusts that might be at risk.
The extra support is showing progress. According to a report from the UK Government, two high-severity CareCERT alerts have been issued by NHS Digital in 2019 (BlueKeep and DejaBlue), and after developing a High Severity Alert (HSA) Process Handbook, remediation went from 18 weeks for BlueKeep down to three weeks for DejaBlue. “The NHS has made tremendous progress since WannaCry, but there are still risks,” says Noble.
Security through support and sanctions
The NHS is loathe to centralize too much. “The only way you can really provide cybersecurity – indeed, you can provide IT – is by giving responsibility for individual trusts, individual organisations, to ensure that they are secure,” says Noble. “You can't, simply can't, do that all from the centre.”
Since WannaCry, the NHS has taken a more hybrid approach with the formation of NHSX (where X stands for “user experience”). This NHS unit sets national policy and develops best practices for NHS technology. It has led to what Noble describes as “more direct” approach in ensuring that even if some trusts aren’t using NHS Digital as much as others, they are still securing their data and operations.
Noble says part of that is getting governance right. Identifying the people responsible for information governance and assurance within each trust drives accountability and enables NHS Digital and NHSX to remind leaders of their obligations around security.
“Principle number one is do you know who is in charge, who is personally senior management responsible for the cybersecurity in in a particular trust,” Noble says. We have got to make sure that we've always got clarity, however complex it is, of who exactly in charge and we've got the governance right.”
If NHS Digital acts as the ”carrot” of free services and guidance, NHSX is the ”stick” and issue sanctions and fines under the UK’s implementation of the NIS Directive, the Network and Information Systems Regulations 2018, in which the UK has set the maximum fine at £17 million.
“The key is being very clear what is expected of people and where the bar is set, and the standard that they should reach,” Noble adds. “If we have a very high severity threat report which requires trusts to update software, we can monitor who has not managed to do that within the guidelines and the timescales. If they don't, that can trigger NHSX and NHS England taking action to remind chief executives of the responsibility the risks that they're carrying and their personal responsibility.”
Cybersecurity and COVID-19 in the NHS
While Noble says he has seen an increase in business email compromise attempts, the NHS is worried about ransomware and has seen some attempts on the NHS and its commercial partners. “Clearly a ransomware attack at the moment would really have major implications, so that is the area that we're particularly focused on. We can be certain actors are focused on how they can exploit COVID, which is why it's so very important that we do not relax cyber security going forward.”
The crisis has seen NHS trusts respond by offering new services and scaling up existing ones. NHS Digital has responded to the coronavirus by adding guidance around working from home securely; ramping up its on-site support for trusts around vulnerability remediation, backup capability, and incident response; and offering NHS organizations the NCSC’s Protective DNS for free.
The number of healthcare workers and patients using NHS Digital services has shot up during the crisis. Care providers using NHSMail more than doubled in six weeks, while more than 60,000 people registered for the NHS Login single sign-on services in late March and early April, and users of the 111 phone service in March more than doubled compared to the same time last year.
Positive outcomes for NHS cybersecurity
Noble predicts long-term effects from the crisis that will leave the NHS in a stronger security position. “This is an incredible challenge, but it is also an opportunity for us to address some of the issues around the system. Additional funding has been made available as part of a COVID-19 action plan so that, if a trust is carrying particular vulnerabilities and isn't in a position to address it, to be able to go and give that resource to urgently tackle it.”
Along with help from the NCSC, the NHS has been working on improving its threat intelligence and hunting capabilities through new data sets and threat feeds.
“Digitalization has tremendous benefits, but it also carries risks if you don't do it securely,” says Noble. “The fact you're in a crisis means you should not be compromising on the standards that you're setting. Otherwise, you will have even bigger problems.”