NHS email system needs to be more resilient

Gareth Lewis discusses how the NHS email system underpins communication between doctors, nurses and health professionals across the country every day, and what happens when it fails?

Everything from the day-to-day internal sharing of staff rotas, patient documentation, as well as external communication with consultants, supply-chain partners and patients. But this means that maintaining a secure, reliable email system is vital to support front line service provision and patient care.

Unfortunately, the service recently suffered a complete outage, which left all 1.2 million staff without access to their email accounts. Staff were frozen out of the accounts and prompted for their password, with many of them locked out after making multiple login attempts.

WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure.

NHSmail, which is run by Accenture, currently makes use of a hybrid mix of Microsoft Exchange and Skype for Business (for audio and video calls) and is confined to NHS employees and organisations commissioned to deliver healthcare services. NHS Digital announced earlier this year that they also plan to launch an NHSmail and Office 365 hybrid service. The intention of this service would be to provide a tighter integration that would allow data to be more readily and securely shared between healthcare organisations.

Yet as the NHS looks to move to Office 365, it may be the right time to reconsider the resilience options for all cloud services.

Email is important for every organisation, but even more so when critical and timely information is being shared that can disrupt clinicians’ workflows and patient care. No-one will argue against security updates to help fight the growth of email impersonation attacks, but this NHSmail outage is a clear reminder that often assisted by human error, IT can always go wrong.

This is why there needs to be plan B for when a primary email provider goes down.

Otherwise, there’s also a risk some employees could use unsanctioned tools to get the job done, thus introducing further uncertainty and exposing users to further vulnerabilities. All organisations need a robust continuity plan for email so it stays up and running regardless of any future incidents.

This year there have been a number of significant incidents affecting Office 365 continuity, the most recent being a series of multi-factor authentication issues plaguing Azure and Office 365 users.

This followed the global outage in September when a lightning strike near one of its San Antonio data centres caused a voltage surge. This forced a power-down when cooling equipment failed, triggering an Azure outage locally and issues with Office 365 globally.
Any single cloud service will continue to have service outages. Sometimes these will be very disruptive because they affect an entire region. Other occasions may only see some customers or groups of employees affected. But outages can and will occur. The risks don’t stop with service continuity either. Hosting all your email and data with a single vendor raises important questions about back-up and data assurance.

WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure. Organisations can also learn from the new NIS Directive. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards.

NHS Digital and public sector leadership face a stark choice for the future. Do they continue to iterate and improve their own centrally-delivered ‘black box’ by building their own independent email continuity service? Or do they explore opening up the service to a more standardised cloud-to-cloud model that offers more choice and control?

Minimising the impact of attacks should be a top priority as a defence-only strategy is doomed to fail. This should include regular ‘cyber drills’ for all employees to respond to and recover from. Cyber resilience in the hospital or office needs to become as ingrained as buckling up a seatbelt on the drive to work.

It’s vital that that short-term memories and political distractions do not derail focus from these important initiatives.

The only way to mitigate these new risks is to adopt a strategy of cyber resilience that brings together threat protection, durability and recoverability. We’ve seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation, but still more needs to be done. This includes email and web security tools to help prevent new strains of ransomware and awareness training for all employees to counter increasingly hard-to-detect social engineering.

The proliferation of sophisticated cyber weapons and concentration of risks within a small number of global cloud providers is rapidly creating a greater risk to the UK’s security and GDP. This is essentially the majority of organisations all putting their eggs into the same basket as each other.

Future action needs to begin to address this. It’s vital that that short-term memory and political distractions do not derail focus from these important initiatives.

Gareth Lewis

Head of Public Sector & Defence

Mimecast