NHS Trusts must step up cyber security ahead of Data Protection and Security Toolkit deadline

AJ Thompson, CCO at Northdoor plc, highlights the need for NHS Trusts to demonstrate GDPR compliance and protect its infrastructure ahead of the new Data Protection and Security Toolkit (DPST) deadline

The healthcare sector handles some of the most private and sensitive personal data across its infrastructure and patients have the right to expect that information will be protected. However, targeted breaches and data loss incidents are becoming more common with the NHS suffering several high-profile incidents in as many years.

Healthcare organisations increasingly rely on suppliers and other third-parties to facilitate billing, data management and infrastructure, clinical services, and the handling and processing sensitive Personally Identifiable Information (PII), from National Insurance and financial records to patients’ conditions and diagnoses. With the volume of electronic medical data travelling across these potentially unsecured third-parties, healthcare organisations are facing unprecedented risk from cyberattack.

The NHS at risk

Most recently Healthcare organisations have been attacked by cybercriminals seeking to exploit the COVID-19 pandemic, according to the National Cyber Security Centre (NCSC). The news follows action taken from the Secretary of State for Health and Social Care, Matt Hancock, giving the NCSC extra powers to obtain data from NHS IT systems.

The NCSC has said that many of the attacks have been in the form of “password-spraying” where hackers guess commonly used passwords in order to access accounts. NCSC has urged NHS staff and third-party suppliers to change all passwords to three randomly generated words to help protect systems. It has also advised that two-factor authentication should also be implemented to help reduce the threat from hackers.

Worryingly, this is not the first the NHS has come under attack. The Wannacry attack in May 2017 crippled systems throughout the NHS led to a series of reports, analysis and soul-searching from inside and outside the organisation. The attack, though effective, was relatively unsophisticated and the apparent ease at which it entered and spread throughout the organisation highlighted the vulnerabilities that remained within the NHS, with the health service’s old IT was cited as a key factor.

The huge media focus on the Wannacry attack almost masked some of the everyday issues impacting the NHS’ cybersecurity efforts. The ‘Orangeworm’ attack group has developed malware specifically to target healthcare organisations and its suppliers to steal valuable and sensitive data. In April 2018, NHS Trusts were issued with a ‘high severity’ cyber alert when 200 NHS devices connected to the internet were compromised – but 80%of those Trusts who were contacted didn’t respond.

All of this is made more remarkable when one considers that despite the fact that the NHS is in the top five employers, globally, its IT arm, NHS Digital has only 18-20 cybersecurity experts, monitoring and managing all of the devices and threats that fall under their umbrella.

The NHS, like many other organisations, have so far only prepared to invest only up to a point in their cyber defences. Building the defensive walls slightly higher than they were at the time of the original attack, is considered to be by some, the best way of enhancing their defences. This, of course, does not take into account the fact that hacker groups are often two or three steps ahead of defences at all times. Building your walls slightly higher and sitting beneath hoping for the best is no longer the right or most cost-effective approach.

With the Department for Health and Social Care extending its deadline for NHS Trusts to comply with its Data Protection and Security Toolkit (DPST) to the 30^th September, now is the time for Trusts to act; demonstrating GDPR compliance and protecting its infrastructure. Although It is understood that for many Trusts this will be a very new process.

NHS Trusts need to look towards agile IT and Software providers who can help them with to become cyber secure. Through the use of privileged access management, Trusts can certify that all employees are adhering to specific rules when creating passwords. This seemingly simple feature plays a big role in safeguarding the NHS network.

Privileged access management strengthens the overall security of a system. By providing individual accountability for all privileged users alongside gaining the ability to review privileged sessions is an invaluable asset. Implementing strong privileged access controls provides the ability to monitor actions and enables potential threats to be pinpointed easily. In the long term, your business becomes compliant, secure and efficient when it comes to monitoring, identifying and mitigating against cyber security risks.