Industry
Healthcare (NHS)
Safeguard patient information, ensure privacy, protect patient data, and provide continuous validation, identity management and zero-trust environments.
Introduction
Established in 1948, the National Health Service (NHS) is the cornerstone of healthcare provision in the UK. It is one of the largest employers in the world, with some estimates putting it as high as the sixth biggest, only behind the Indian Ministry of Defence, the US Department of Defence, the People’s Liberation Army of China, Walmart and Amazon.
With an annual budget in excess of £180 billion, the NHS operates on the front lines of the cyber threat landscape. Decades of accrued data, combined with an ageing IT infrastructure, have made the NHS an easy target for cybercriminals. The UK Government’s Cybersecurity Strategy for Health & Social Care, aims to coordinate cyber resilience across the system, ensuring services are better protected from cyber threats and securing sensitive information. The target delivery date for this is 2030. It’s fair to say that the NHS’ cybersecurity initiatives have come a long way since the WannaCry ransomware attack in 2017, but there’s still a lot more to be done.
Industry Overview
Every sector has been transformed by technology, and the NHS is no different. Over 40 million people now have an NHS login, helping them book appointments, track referrals and order medications online. More than an enabler to provide more efficient, accessible and personalised care, technology is revolutionising the NHS. From Electronic Healthcare Records (EHR), digital health apps, telemedicine, digital imaging and diagnostics, robotics and more, technology underpins healthcare today.
It’s widely recognised that the NHS is under immense pressure. Technology plays a significant role in tackling some of these pressures. As an example, digitally mature trusts operate with approximately 10% improved efficiency, compared with their less digitally mature peers.
Ultimately, good healthcare is integral to our welfare and survival. Our healthcare records are confidential, and our lives depend on health professionals being able to reliably and securely access systems to provide that care. There are very few industries that have such a direct impact on our welfare, and this very fact presents challenges, including the need for robust data security. It is vital that the health and care sector has the tools it needs to better protect patient’s information.
Market Trends & Statistics
The complex nature of NHS technology infrastructure and its reliance on many interdependent systems, including those of third parties; lie at the heart of the challenge of keeping devices, services, networks, and the information on them secure from theft or damage.
The ransomware attack against software and services provider Advanced is a prime example of this challenge. In August 2022, cybercriminals took-offline seven of Advanced’s health systems, including software used for patient check-ins, medical notes, and the NHS 111 service. Products affected include Adastra, used by the NHS 111 service, and Caresys and Carenotes, which provide the backbone for care home services like patient notes and visitor booking.
Another example is when NHS outsourcing firm Capita was the victim of a ransomware attack in March 2023. NHS staff had to resort to pen and paper as they were locked out of their IT systems. As a direct result of the attack, NHS England reported a breach of patient data.
Challenges & Opportunities
- Supply chain vulnerabilities – highlighted by the Advanced and Capita cyber attacks, the NHS is vulnerable to supply chain risks through its technology partnerships. All of these partners, in turn, have their own supply chains, creating multiple layers of risk.
- Legacy technology – As technology progresses, support for older systems dwindles, which can result in vulnerabilities in older software and hardware not being fixed. This makes them a prime target for cyber attacks.
- Sector size – The sheer size and diversity of the sector make it challenging to set standards that can apply to all. This is a critical issue where sensitive and personal data is being shared across organisations.
- Vast cyber threat surface – The distributed nature of modern healthcare provision, embracing cloud, mobile working, public-private partnerships (PPPs) and distributed environments, delivers some of the most complex cyber threat surfaces in the UK.
As digital infrastructure within the NHS continues to evolve at pace, the sector’s vital risk management requirements and heightened data privacy duties necessitate a greater focus on ensuring the right cybersecurity mitigations are in place to support long-term, sustainable digital transformation.
Regulations & Compliance
UK health and care organisations are now at the point of having to formalise historic ad-hoc cybersecurity initiatives and ensure compliance.
It is expected that they implement the 10 National Data Guardian (NDG) standards for data security as laid out in the NHS Data Security and Protection Toolkit (DSPT). This includes: meeting defined expectations for the protection of personal data in all formats, clearly defined data guardian roles, staff cybersecurity training, least privilege access to data, process/threat reviews, defined incident response processes, continuity planning, decommissioning of unsupported systems, an IT protection strategy and supply chain cyber awareness.
The DSPT is a self-assessment tool that enables organisations to measure and publish their performance against the NDG standards, which are designed to protect sensitive data and also protect critical services that may be affected by a disruption to critical IT systems, such as in the event of a cyber attack.
Looking for cybersecurity peace of mind?
Conclusion
BlueFort is at the heart of NHS cybersecurity modernisation efforts. We are working with more than 50 individual NHS trusts and bodies to consolidate their cybersecurity posture and meet the demanding new DSPT guidelines.
Using BlueFort’s standards-based framework of Continuous Cyber Discovery, Validation, and Control, we are able to help NHS clients navigate this minefield with simplicity and confidence.
BlueFort’s tightly integrated security disciplines make NHS security environments fit for purpose by prioritising assessment, consolidation and optimisation.
See how BlueFort can help you simplify your cybersecurity
How we helped Leeds Teaching Hospital with a challenge that faced them in this industry
An ever-increasing volume of cyber threats, combined with having to keep on top of the requirements of NHS Digital and NCSC’s cybersecurity directive was becoming a significant challenge for the Trust’s IT and security teams. Find out how BlueFort was able to support this NHS trust to become compliant and improve their overall cybersecurity posture.
