In a rare victory for the NHS over cyber criminals, the North Bristol NHS Trust thwarted a phishing attack in February that, if successful, could have compromised over 800 staff e-mail accounts.
In a statement to the press, Neil Darvill, executive director of informatics at North Bristol NHS Trust, said that the trust’s internal cyber security teams were able to thwart the phishing attack in February and thereby protected sensitive Trust and patient information.
Even after last year’s WannaCry ransomware attack was subdued, several NHS Trusts and hospitals continued to face fresh attacks from cyber criminals looking to get their hands around sensitive patient information or to force hospitals to pay ranson to get their encrypted files back.
NHS England has taken a number of steps in the last few months to ensure that NHS institutions will be able to ward-off future WannaCry-like attacks and will be able to safeguard the security of hospital and patient data. However, issues still remain.
NHS still far from secure
In February, while addressing the public accounts committee at the House of Commons, Rob Shaw, deputy chief executive at NHS Digital, said that as many as 200 NHS Trusts which the Department of Health had assessed had failed to meet cyber security standards that were essential for them to defend against sophisticated cyber attacks in the future.
“The NHS is currently facing a number of challenges. Not only is it being called upon to modernise, reform and improve services to meet the needs of ever more complex, instantaneous patient demands, it is also facing an ever mounting threat from cyber criminals operating in groups that are much more agile than the NHS itself,” said Rob Bolton, Technology Director and GM for Western Europe at Infoblox.
“This spans not only technological environments, but processes and the people that have access. Because of this, it is not really a surprise that NHS trusts are struggling to pass cybersecurity tests. Our recent research found that 1 in 4 UK healthcare IT professionals do not feel confident in their organisation’s ability to defend against a cyberattack.
“In order for the NHS to effectively defend against cybercrime, IT teams need to carry out regular overviews of their systems, making sure they identify all vulnerable systems, efficient processes for identifying and remediating weaknesses, and have the ability to recognise malicious activity across their network.
“It is also vital that all trusts have a plan in place to deal with a cyberattack relative; external communication to the public and ransom demands are very much a part of this. Minimising disruption is key to ensuring that organisations can continue providing essential services to patients,’ he added.
Plugging the gaps
In order to help the NHS comply with recommended cyber security standards, the government announced an investment of £21 million last year to boost cyber-resilience of 27 NHS trauma centres as an ‘immediate priority’. At the same time, the government said it would invest a total of £50 million to address key structural weaknesses in the health and care system.
The government directed NHS Digital to use these funds to support new data security standards and to introduce health and care organisations to tools that can identify potential vulnerabilities. The government also pledged to work with NHS institutions to assess whether existing frameworks like Cyber Essentials Plus and ISO2700 will meet their particular needs.
In October, NHS England also announced new 2017/18 Data Security and Protection Requirements to help healthcare organisations in the UK prepare for a new assurance framework coming into place from April 2018.
In November, a Custom Support Agreement entered into between the NHS and Microsoft empowered the latter to offer customised security to all PCs running older versions of Windows operating systems used by NHS hospitals, clinics, and trusts.
Microsoft’s services include an Enterprise Threat Detection (ETD) service which can analyse device data intelligence in real time and identify threats accordingly. At the same time, Microsoft would also offer consultation to the Cyber Security Centre of Excellence for Health and Care on specific areas like patch management, aside from offering immediate response to cyber events.
As part of the agreement, Microsoft is also supporting the migration of all legacy systems, including those running Windows 7, to Windows 10 in the near future. Microsoft is set to withdraw general support for Windows 7 devices from 2020.