Has the NHS sacrificed cybersecurity for convenience?

Written by Matt Lock on 1 September 2017 in Opinion

Matt Lock of Varonis argues that an increase in connectivity has left health-service IT vulnerable

May’s WannaCry ransomware attack was a wake-up call like no other. Affecting numerous hospitals across the UK, the cyberattack managed to bring critical services to a standstill; non-urgent operations were cancelled, doctors had to resort to using pen and paper; and patients at some hospitals were advised not to attend A&E departments. 

The scale of the attack has highlighted how a trend towards accessibility, and an increasingly interconnected network, can pose risks, at a time when we’re more reliant than ever on digitised services.  When critical services, including A&E departments, are compromised in this way, we need to take stock and apply the lessons of how to better protect the systems which keep our health service running.  

Connectivity is King 
In the post-mortem following WannaCry, factors such as lack of investment and staff training were cited as the causes behind the debilitating impact to services. Certainly these play a part, but we also need to look more closely at how the systems within hospitals are designed in order to diagnose why, when the attack struck, vital services were suspended so quickly. 

Key to this is that, in recent years, there’s been a trend towards improving accessibility and integration of systems and data so that information can flow freely. The digital transformation that’s been core to the delivery of services brings convenience, but this shouldn’t be at the expense of security. 

Related content​

This approach means that the attack surface expands: when an attack like WannaCry strikes, the shockwaves are felt more widely across the network, and ransomware can spread quickly across interconnected systems. It meant that A&E departments which, in the past, would not have been connected to other hospital systems, were affected.  Added to the challenge is that we’re building on ageing, legacy systems with unpatched and out-of-date software which poses a significant risk.  These are exactly the vulnerabilities that attackers will exploit. 

Essential services should not be vulnerable in this way: we need to isolate critical infrastructure with air-gapped networks that are not connected to the internet, or to any devices that connect to the internet. This reduces the risk vector and means that, when at attack strikes, the impact can be contained.  

We also need to ensure that we get better at protecting the data itself.  When access to data isn’t managed or monitored, organisations are at far greater risk from cyberattacks.  In the case of ransomware, for example, if the compromised individual has global access rights, all the data that they can access will be encrypted.  Setting ‘least privilege’ models for access, so that only those that ‘need to know’ can access sensitive data, ensures greater level of security and protection for personal data. 

If we are to improve security we need to learn the lessons from these attacks; protecting the perimeter is not enough. As the ransomware epidemic will continue to grow, we need to re-examine how we protect vital systems once an attack has breached the outer security defences.       

About the author

Matt Lock is director of sales engineers at Varonis 

Share this page



Add new comment

Related Articles

Most hospitals still reliant on hundreds of pagers
11 September 2017

Report finds 93% of increasingly outdated devices still active in the UK are owned by hospitals

“Unacceptable & inexcusable”: council hit with £70k fine for leaving vulnerable people's info wide open
1 September 2017

Watchdog finds that Nottinghamshire County Council failed to keep personal data - including care needs and postcodes - safe

Probe launched into leak of more than 500 junior doctors' personal details
3 August 2017

Union BMA commends trust on swift response to leak of trainee GPs' details but calls for thorough investigation 

Related Sponsored Articles

Why field service management is vital for public sector organisations
18 September 2017

Kirona explains what field service is and why public sector organisations need to implement an effective field service management solution