Darran Clare, Accelerate’s Director of technologies gives his view on the “Data Security and Protection” (DSP) toolkit and the additional opportunities and challenges it presents NHS organisations.
On Friday 12 May 2017, a global ransomware attack, known as WannaCry, affected many organisations across a wide range of sectors and countries. But one organisation stood out, infecting one third of the countries NHS trusts and impacting the provision of patient services.
Overall the NHS responded well to what was an unprecedented incident, and while there were no reports of harm to patients or patient data being compromised or stolen, it highlighted the NHS’s dependency on IT to deliver digital services to patients and the importance for security improvements to reduce risk and impact of future cyber-attacks.
Three years on, the NHS face a new impact to patient services, not through a Cyber Attack like in 2017 but instead through a pandemic outbreak, limiting necessary physical contact with doctors and care staff.
It is in times like these that we begin to realise the benefits digital services are able to offer organisations with a duty of care, and as the NHS regroup from the situation they will look to drive further transformation programs to deliver more available and efficient digital services to its patients and workers. However, with the move to embrace information technology, the need for assurance and best practice data security will be evermore necessary to make sure personal information is being handled and protected sufficiently.
It was quickly established that all NHS organisations affected by WannaCry had failed to apply a critical Microsoft update for a known vulnerability, but whether organisations had applied the patch or not, it was clear that there was a need for a security framework to guide organisations to best practice with repeatable processes for cyber and situational awareness. It was at this point “The Data Security and Protection” (DSP) Toolkit produced by NHS Digital was introduced in parallel with changing GDPR regulation and increasing threat landscape.
DSP offers NHS organisations with an online self-assessment facility to measure their performance against the National Data Guardian’s (NDG) 10 data security standards which have been designed to address basic cyber vulnerabilities. It is believed that if the health and care system had adhered to a similar standard in 2017, it could have significantly mitigated the impact of the WannaCry attack.
So as we look beyond the direct challenge COVID has introduced, health care organisations have had to quickly pivot to an increased provision of remote workers whilst still attempting to eliminate legacy operating systems and delivering against the requirements of the new DSP security framework.
However, the quick pivot to remote work for the healthcare industry has not been without its own challenges. For starters, patch management systems designed for on-premise, have left user devices in an unpatched and vulnerable state, coupled with the additional concern of unsecured and unmanaged home Wi-Fi networks, creates an environment open for compromise and in need of new policies and user awareness to counter the risk.
There is no doubt security standards deliver the structure and level of assurance required to help protect from a Cyber-attack, but the requirements can be hugely challenging even for organisations with dedicated security and compliance teams to achieve, let alone NHS or care organisations with restricted resource and skills, but also the limiting IT budgets needed to deliver and maintain protection.
So it is extremely encouraging to hear news of a deal being struck between Microsoft and NHS Digital, saving the NHS hundreds of millions of pounds, and enabling all eligible organisations in England to access the full suite of Microsoft 365 digital tools.
This deal will no doubt guarantee significant cost savings for individual NHS organisations, looking to assist with the improvement of productivity and collaboration during the increased remote working, but importantly it will aid in strengthening cyber security across healthcare services while they build further digital and cyber resilience into the organisation.
But the offer of any new software or technology, still demands time, resource, and skills to implement correctly not to mention the ongoing management and monitoring to protect the organisation from future threats.
So whether it’s a Gap Analysis to compare your current state of security controls to the DSP or the need to design and deliver IT projects against the requirements of DSP, the following are areas that are important to get right early on.
Asset Management & Risk Register– Spending time identifying and tracking all critical services and assets along with the most appropriate digital protection and recovery of those assets will pay its dues in the long run. Accurate asset management will give you more of a chance of eliminating and preventing new vulnerabilities that will inherently be the source of a major breach.
Policies & Awareness – There are three components which allow classification of attack vectors as well as defensive measures: Our people are one of the biggest targets today, but they are also our ultimate defenders and require investment in training and situational awareness to maintain a strong defence. Processes, which can introduce vulnerabilities if not adhered to, but are critical in our ability to efficiently detect and respond to threats we face, and the technology that is used to support our people and processes.
All three components are as important as each other to achieve effective security and implementing changes using the 80/20 principle allows us to significantly reduce 80% of an organisation’s information security risk with 20% of the effort by focused on the most vulnerable and easiest to mitigate.
Our approach is not “one size fits all”, and whilst we recognise security frameworks including the DSP are available to underpin better security controls, it is important to create a sustainable and measurable state of security that is appropriate to your organisations resource and skills.
Security frameworks are designed to give an organisation a reference in achieving best practice security, however it’s also important to remember that IT maturity and cyber security is not a tick box exercise, but instead a moving target and an ongoing process of measurement and improvement as new threats and best practices emerge.
A good next step is to talk to one of our advisors to understand how we can help you to achieve ongoing compliance to the DSP whilst taking advantage of the Microsoft O365 Software suite.
A no obligation call will help you understand: