Microsoft Deal Is a Start, But More Needs to be Done to Protect the NHS from Cyber Threats

Following the recent WannaCry attack that affected so many organizations, both public and private, across the globe, many firms are now taking steps to protect themselves from potential threats in the future. One establishment in the UK that the WannaCry attack had ramifications for was the NHS. The incident meant multiple hospitals across England and Scotland had to cancel procedures after vital systems were brought down, with hackers demanding money to release the systems.

Needless to say, with such a high-profile public institution being breached, both media and public interest were piqued and questions asked about how this could have been prevented. Shockingly, it was revealed that many of the NHS networks were still running systems with Windows XP, an out of date operating system that is now highly vulnerable to attacks.

Running critical infrastructure on outdated software is incredibly risky, and needless to say the NHS (and others) paid the price for this. However, steps are now being taken to address this issue. It was recently announced that NHS Digital has signed an agreement with Microsoft to cover all NHS organizations with a centralized framework for the detection of malicious cyber activity, while also providing patches for all current Windows devices in the health service running on XP.

Successful and secure IT is all about investment. All too often maintenance falls by the wayside. Why would you spend money on something that isn’t broken? If the impact of WannaCry isn’t a good enough justification, then what is?

So, this announcement is a positive first step to ensuring the NHS is safe from cyber threats going forward. It goes without saying that ensuring IT systems are operating with the most up to date software is critical to keeping these devices safe and, through working with Microsoft, hopefully, this can be achieved.

However, NHS Digital needs to ensure that it does not consider this partnership as the solution to all its security issues. Simply updating endpoint systems is not enough. Other investments and partnerships are needed to protect the whole IT infrastructure and mitigate security risks going forward.

For example, the NHS should consider taking steps to ensure that breaches don’t occur from within the organization. Data becoming exposed from within firms is one of the primary reasons for cyber-security breaches – the more people who have access, the greater the risk. Research from Clearswift found that 88% of security professionals said they had experienced a security incident, and 73% of those attributed these to employees, ex-employees, contractors and partners. This is an alarming figure, and breaches coming from inside an organization are not going to be stopped solely by updating software to prevent external attacks.

So, what can the NHS do to make sure its systems are secure both inside and out?  Insider threats take many forms but ultimately revolve around the unauthorized movement of data. Therefore, the NHS must ensure that protection is centered on monitoring and preventing critical information from reaching unauthorized personnel. To do this, the health service should look to set up an information governance scheme which prevents data from being accessible and shareable by unauthorized staff. Policies need to be backed up by training and technology. For example, using an adaptive data loss prevention solution to redact critical information automatically to reduce the risk, while not obstructing communication flows, would help improve the security profile. Other adaptive security technology should also be deployed to remove ransomware threats, as well as mitigate other information borne risks. Some of these advanced solutions can be deployed without needing to ‘rip and replace’ what is already there. Clearswift has just launched our Data Protection+ initiative which enables organizations to augment their existing email and web solutions with our Adaptive Data Loss Prevention functionality – even if you don’t have a Clearswift Secure Gateway.

Upgrading systems was a necessity for the NHS following the WannaCry breach and the deal with Microsoft is a start to preventing something similar from happening in the future. However, NHS Digital needs to understand that this isn’t a silver bullet and threats are far wider-ranging than just external hackers. Through ensuring that the systems and processes are in place to protect the NHS from threats, we can ensure that the health system continues to operate smoothly and citizen records are in safe hands, guaranteeing that this national institution is well guarded into the future.