Cybersecurity: Don’t let the small stuff cause you big problems

If hospitals don't take cybersecurity seriously, a series of small issues could be as bad as a major cyberattack like WannaCry, warns NHS Digital chief.
Written by Danny Palmer, Senior Writer

Healthcare providers risk 'death by a thousand cuts' if they take a poor approach to implementing cyber security and protecting networks and patient data.

The UK's National Health Service employs 1.2 million people and is currently in the midst of a drive to offer a more digital form of healthcare: fewer doctors and nurses carrying pens and paper, more with access to digital health records, and patient after-care via apps. But security has a central role to play.

"Those organisations which are successful in their transformation journey are those which make cybersecurity and data protection an obligation from the board to the bedside," said Daniel Jeffery, head of innovation and delivery at NHS Digital, the driving force behind information technology transformation in England.

"Everybody in the organisation knows what they should be doing, what they need to do, how to treat data in that respect and the security elements with that," he said.

It's small, simple things which can make a big difference, Jeffery told the audience at at LORCA Live 2019, a cybersecurity conference in London. He cited little things like not writing usernames and passwords on post-it notes and sticking them to screens, or simply making sure data is backed up.

The key is to realise the opportunities from the digital revolution from a health and care perspective, but also making sure security is built in from the beginning Jeffery said. "Ultimately, cybersecurity is an enabler of the digital revolution," he added.

The NHS has already been an unwitting case study about modern security threats: the WannaCry ransomware attack.

While WannaCry was a global campaign – classified by the UK's National Cyber Security Centre as a category 2 cyberattack, only one level down from a national cyber emergency – the NHS was particularly badly hit and the organisation's response has been met with criticism.

"There are two ways in which trust can get eroded for health and care. One is a massive, huge tier 1 or tier 2 type breach – the other is death by a thousand cuts," said Jeffery.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Organisations of all sizes in all sectors need to have a cybersecurity strategy, but for healthcare, it's particularly important. Not only do IT networks within hospitals and doctors' surgeries need to be accessible and secure in order to provide patient care, these networks involve medical information – some of the most sensitive data that can be held about people.

"What's really important is having control over the data and knowing where it is. It's the same issue that's dealt with in many other industries, but to an extra level of duty of care for the people whose data you've got," said Sian John, chief security advisor for EMEA at Microsoft.

"You're talking about privacy: it's one level when you're talking about financial data, it's another level if that's my medical history," she added.

What's important for health organisations as a whole is being absolutely sure how data is controlled and how it is accessed – and making knowing a priority.

"It's about changing the mindset from 'where is the data?' to 'is the data protected, wherever it may be?' And that's encryption, but also anonymisation of data in certain situations. It's really about what control you have on the data and if that's appropriate, over being obsessive over where it is," John said.


Editorial standards