Security vs cost – striking the right balance

null

Despite the crippling ransomware attacks that hit the NHS so severely in 2017, NHS Digital is set to reject the recommendations made by its CIO, Will Smart, to make vital upgrades to its IT infrastructure. The NHS was particularly badly affected due to unpatched systems, reliance on legacy technology and, because of this, was simply not prepared to deal with the strength of the WannaCry attack.

It will come as a surprise to many that the upgrades have been rejected, but with costs totalling between £800 million and £1 billion - it is claimed this isn’t seen as "value for money". However, Stephen Gailey, Solutions Architect at Exabeam questions whether NHS Digital really believes it can operate a modern on-line organisation without adequate security:

“It seems inconceivable that NHS Digital would arbitrarily decide not to implement the security recommendations of its own CIO. The fact that it is doing so on the basis of a vague and undefined statement regarding value for money seems equally questionable, given the security incidents the NHS has suffered in recent times. NHS digital needs to back up this rejection with some hard analysis and needs to provide its own security improvement plan for scrutiny. Failure to adequately protect NHS patient data is likely to cost the NHS dearly in both fines and legal challenges and distract the organisation from its primary role.”

One of the key flaws the NHS faced was that so many of its devices were either running on legacy IT systems, such as Windows XP, or that modern operating systems were being run, but not being patched correctly. Mat Clothier, Founder & CEO at Cloudhouse, believes that overcoming legacy is key to security, and migrations away from it don’t have to incur costly outgoings:

“It’s understandable that NHS Digital is committed to getting the best deal possible when improving its IT, but when it comes to security, there can be no excuse for outdated solutions, not fit for purpose, in the modern IT landscape. Security best practice will always advise those in all sectors to move away from legacy, unpatched operating systems that are vulnerable to data theft or loss – users of Windows XP, Server 2003 and, soon enough, Windows 7, all face this challenge.

“Thankfully the days of having to rewrite legacy apps not built for modern platforms, which can be both time-consuming and costly, are over. Compatibility containers can now help both those in the public and private sectors deploy a comprehensive approach to data protection and can deliver the migration of mission-critical, legacy apps to the safety of a support OS - without the expensive price-tag. We’ve had first-hand experience of this and have worked with public sector bodies to reduce their migration costs from millions, into thousands, and this can make a real difference when achieving IT goals, without overspending.”

Simple and cost-effective

“Using a software like this, NHS Digital would have full visibility of its entire network, and could provide recommendations and guidance on security vulnerabilities, as well as taking proactive next steps towards a more secure infrastructure. In an absolute worst-case situation, like we’ve seen previously, they could still perform a damage assessment and quickly identify a root cause without investing too heavily in additional, expensive solutions.”

As well as moving away from platforms that are no longer supported, there are other solutions that are simple to implement and can also be cost-effective, according to WinMagic’s VP for EMEA, Luke Brown:

“With unrelenting budget pressures, it’s no surprise that the NHS’ main focus is on healthcare technologies, not security technologies.  However, when it comes to the protection of data, lack of safeguard – particularly encryption – is one of the most common pitfalls.” Brown also argues that with the large amount of personal data, complying with regulations is also a must in the modern world. He continued:

“All sensitive data, whether it is patient details, or the patent to your best-selling secret sauce, should be encrypted as a basic security practice.  In the event of a data breach, encryption acts as a last line of defence making data illegible when in the hands of unauthorised parties.  Businesses and organisations in the healthcare arena are subject to particularly stringent data privacy and security laws, and with GDPR now in force it’s not getting any easier.”

One of the key findings in the original report on the WannaCry attack was that NHS Digital needed far more visibility over its entire infrastructure, including local trusts. Without this, the ransomware was able to infiltrate NHS systems mostly undetected, and the same type of attack could easily happen again. Paul Parker, Chief Technologist, For Federal And National Government, SolarWinds, believes that visibility should be a priority:

“Attaining visibility requires some form of overarching network monitoring, which does not need to be an expensive or complicated solution. This would enable IT leaders to pull together information about the devices being used on the network, including operating systems, current patches, and security protocols, as well as any malicious traffic targeting the system, all in a single program.

A stark warning

One of the key challenges the NHS faces is bringing together such a large network of machines, connected devices and databases, overcoming this challenge will be key to improving security, Anurag Kahol, CTO at Bitglass, believes:

"The UK healthcare sector is greatly fragmented – the governance structure is a confusing mass of public and private organisations interacting with contractors and patients. Combined with the rapid digitisation of patient records in recent years, it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe. This has led to the sector as a whole becoming one of the most popular targets of cyber-attacks.

“On the one hand, healthcare data is itself a highly lucrative target for attackers, with reports suggesting that stolen medical records are much more valuable than stolen credit card details. On the other, healthcare organisations have also become a popular target for ransomware attacks. With patient care potentially at risk if there are any delays in accessing data, these organisations are often likely to pay a ransom.”

Kahol also believes that more is on the line than just keeping services running; data loss and in turn, the trust of the public and employees, is at risk if security isn’t up to scratch:

“The NHS simply must prioritise data security if it is to maintain the trust of its employees and patients. The crux of the matter is that we’re talking about personal health information and personally identifiable information data here – that’s all the personal health and identifiable information that someone might need to commit crimes or steal a person’s identity."

The WannaCry ransomware attacks were a stark warning to those who became victims quite so easily and many have taken this into account and improved their cyber security procedures. The NHS finds itself in a difficult position - it knows what it needs to improve and how to do it, but the financial outlay is seen as too steep. A solution to this must be found as those behind such attacks as WannaCry will be evolving the sophistication of their attacks to be even stronger in the future, and with the NHS so reliant on IT, inaction simply isn’t an option.

Stephen Gailey, Solutions Architect, Exabeam
Mat Clothier, Founder & CEO,
Cloudhouse
Luke Brown, VP for EMEA,
WinMagic
Paul Parker, Chief Technologist, For Federal And National Government,
SolarWinds
Anurag Kahol, CTO,
Bitglass
Image Credit: Marbury / Shutterstock