The NHS is the world’s fifth largest employer, topped only by the United States Department of Defense, China’s People’s Liberation Army, Walmart and McDonalds.
Yet it only has 18-20 “suitably skilled” cyber security experts working for its national provider of information, data and IT systems, NHS Digital.
That’s according to Westminster’s Public Accounts Committee, which last week issued a blistering report on the Department of Health and Social Care’s failure and that of its “arm’s-length bodies” to prepare for cyberattacks.
The report came a year after the Wannacry malware hit 80 hospital trusts across the country, as well as 595 GP practices.
Committee Chair Meg Hillier MP said: “I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment. They had not shared and tested plans for responding to a cyber-attack, nor had any trust [Computer Business Review’s italics] passed a cyber-security inspection.”
It has set a June deadline for update on costed plans for vital security investment, which must include “prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities and oversight arrangements are clear.”
Is 20 Cybersecurity Staff Enough?
At the NHS, many critical medical devices were still using unpatched Microsoft XP software last year and were also affected by WannaCry.
These included MRI scanners and blood test analysis devices, a “lessons learned” report from NHS England found in February.
The Committee also highlighted that NHS Digital – the health service’s national provider of information, data and IT systems – itself has only 20 “suitably skilled” cyber security staff. NHS Digital spokesman Karen Faughey told Computer Business Review that the numbers were augmented by contract staff.
“NHS Digital currently has around 18-20 permanent staff in our cyber security team. This function is supported by supplier contracts and services to provide additional expertise and specialist services. During periods of high demand, we are able to supplement the team with contracted specialists.”
NHS Digital did not respond to a question about whether it has struggled to recruit more security staff, amid well-recognised industry shortages.
Andrew Beckett, MD of Kroll’s cybersecurity and investigations division, said: “Most organisations have begun to invest in plans [to combat ransomware], but, like the NHS, failed to communicate them across the business and prepare subsidiaries and senior executives outside of the security and IT departments for such threats. As outlined in this report, it is crucial for businesses to not only have a plan in place but to conduct simulations and test their plans before an attack takes place.”
Honeypot to the Bee
With recent reports demonstrating the extent to which cyber attackers are now automating up to 80 percent of their hacking processes, getting security wrong can lead to problems within hours – sometimes, seconds.
One recent analysis, that involved creating a “honeypot” website masquerading as a financial services company, caught a botnet performing the groundwork for human attackers within two hours.
This exploited known vulnerabilities, scanned the network and dumped the credentials of compromised machines on the dark web, as well as creating new user accounts all within 15 seconds.
New Enterprise Agreements the Solution?
Ben Boswell, VP Europe at $10.4 billion technology services provider WorldWide Technology, said that the relationship between software providers and organisations should be governed by a new breed of Enterprise Agreements (EAs).
He said: “In large, complex organisations, it can be difficult to make sure every system is kept up to date – especially those like the NHS, where staff are under huge stress and time pressure. But using software that is no longer supported by the manufacturer effectively puts a target on the back of organisations for malicious hackers, particularly as hacking becomes more automated. The product-by-product approach, where large-scale IT infrastructure is bought on an ad-hoc basis and fully updated infrequently, sometimes only once every decade, leaves organisations incredibly vulnerable to attack.
“One way to tackle this problem is to engage in an Enterprise Agreement (EA), a contract between customer and supplier whereby hardware and software are fully supported on a rolling basis. In recent years EAs have evolved to better accommodate the changing needs of businesses, who are looking for increasing flexibility. Many EAs now include security, network and other hardware support in the same package as well as being available on a pay-by-usage policy. This means firms can accelerate innovation into their IT systems through just one agreement.”
New Approach Needed
Christina Hammond-Aziz, Head of Private Sector at Rainmaker, told Computer Business Review: “Enterprise security needs to be a board-level issue. But it can’t be looked at in isolation and needs to be viewed as part of wider organisational transformation. All supplier agreements should cover support and resilience as a priority. The answer is not so much new enterprise agreements, as putting security at the heart of innovative, technology-driven business models.”
She concluded: “In the wake of Cambridge Analytica and recent state-sponsored meddling, we need more than putting some cash aside to spend on cyber reviews. We need an entirely new approach to using and buying technology within government.”