Is the UK health system underfunded and underprepared?

The recent cyber attack on Synnovis – a company that provides diagnostics, testing and digital pathology services for hospitals, GPs and other NHS healthcare providers – has highlighted the vital importance of cybersecurity and the potential disruption supply chain organisations can cause.

Consequently, to minimise future disruptions, the Labour government has introduced a Cyber Security and Resilience Bill. While this is a step in the right direction, before enhancing cybersecurity, the government must first ensure that the NHS receives the necessary funding to modernise its IT infrastructure.

Arguably, while the significant disruption across the NHS caused by incidents like the Synnovis attack and the CrowdStrike outage – the largest outage in history – are not the result of strained budgets, some healthcare organisations do struggle to make the necessary investments in cybersecurity when the priority lies with bettering patient outcomes.

While the NHS Chief Executive has warned that there is no financial headroom this year following a £22bn deficit in the nation’s finances, it is imperative for the government to prioritise and allocate increased funding to the NHS or else take a risk with the country’s healthcare.

The importance of adequate funding

The Cyber Security and Resilience Bill is a good start towards better cyber defences. However, it overlooks how critical it is to dedicate adequate funding to public service IT operations, including cybersecurity. The reliance of UK public service organisations on outdated IT systems and insufficient resources for basic cyber hygiene make it an easy target for cyber attacks.

Enlisting the latest AI-enabled cybersecurity technology without first preparing IT foundations is a misstep many organisations make. Existing architectures and systems must first be interoperable in order to integrate new software into the infrastructure. Without taking the first step to overhaul and modernise legacy systems, we essentially plaster over the cracks that will inevitably appear.

The UK government faces a tough challenge here, particularly considering that the volume of cyber attacks on critical infrastructure is on the increase. To prevent potentially catastrophic breaches like those we have witnessed across the NHS in recent years, officials must make funds readily available for critical infrastructure organisations like the NHS, to build cyber resilience and protect its citizens.

The value of our health

There are various industries under particular threat from cybercriminals with nefarious agendas. Telecommunications is a core industry that criminals can use to gather and sort information that provides intelligence on individuals and organisations. Transport is critical infrastructure, but it’s now rooted in IP (Internet Protocol) which lays out the location of vehicles, containers, delivery addresses and tracking systems among other sensitive information. This crosses over when you think about healthcare and the emergency services. Blue light services like ambulances are also at risk of being hacked and derailed if not protected properly but healthcare overall is essentially a high value data industry.

Healthcare organisations handle extensive personal health information, comprising medical histories, lab results, and insurance details. This data is extremely sensitive, potentially embarrassing and holds significant value for cybercriminals. The risks are further amplified by the growing connectivity within healthcare systems, where patient data is shared across networks and accessed through various applications, including APIs (Application Programming Interfaces). Hence, protecting sensitive patient data is the top priority in the healthcare industry.

Enabling digital and physical health

Maintaining confidentiality in healthcare involves ensuring the security and privacy of electronic data. To do this, NHS trusts need tools. However, with limited budgets in place this can be a challenge.

In this situation, using technology that is multifaceted rather than solely focused on security offers the ability to monitor security but also document compliance, while providing visibility into performance and availability.

Additionally, trusts would do well to collect the data that matters. Collecting reams of data with limited tools will only serve to overwhelm systems and professionals. The NHS should first determine its risk tolerance level and then seek to collate data from a minimum of six areas – Identity and Access Management, Audit and Accountability, Continuous Controls Monitoring, Configuration and Change Management, System Communications and Protection, and Incident Detection and Response. Minimising the data collected allows for better governance of that data.

The use of forensics from previous attacks also provides an insight into the vulnerabilities of systems. Reviewing the details of past cyber breaches is a great way for organisations to examine their security posture to find gaps that need filling with tools, processes or people that can reinforce their cybersecurity strategies.

Considering the vast amount of information contained in a single electronic health record, it’s no surprise that they continue to be a target for cybercriminals. Unfortunately, despite an organisation’s risk posture, a cybersecurity event, to varying levels of severity, is inevitable. In those instances, properly collected event log data can provide visibility into the hackers’ journey through infrastructure, networks, devices and software.

While there are some preventable steps that healthcare organisations can take to protect their patients’ trust within critical infrastructures, ultimately the robustness of a cybersecurity posture depends on the intricacy of the policy, the depth of the strategy, and the accuracy of the tools implemented. The strategy is free, the implementation however, is priceless. Our new Labour government would do well to bear this in mind while considering the UK’s digital future and its safety.

---

Ross Brewer is VP and Managing Director EMEA at Graylog.