Professor Gives Evidence on Cyber Security and Health Care at Scottish Parliament

Date posted

20 June 2017

Professor Bill Buchanan was invited to present evidence to the Health and Social Care Committee on Cyber Security risks within Health Care in Scotland. He gave evidence on 20 June 2017 and the recorded version is here:

The recent outages at British Airways and Capita, and with the ransomware attack on the NHS, we see how highly dependent on information infrastructures, and that they may not be as robust as we expect. A few possible recommendations for the NHS in Scotland would be:

• The NHS in Scotland needs to fully understand its key risks, such as for a large-scale power outage, a Distributed Denial of Service (DDoS) attack, malware infection and large-scale data loss.
• Provide investment for the creation of dynamic, robust and secure architectures which can cope with major threats, including for sustained power loss, distributed denial of service (DDoS), malware and large-scale data loss.
• Disable all unnecessary services on devices within the infrastructure, and reduce networked access from devices which are untrusted.
• Implement a software patch strategy which rolls-out updates when serious vulnerabilities are identified.
• Provide clear communications strategies for the reporting of incidents, along with mitigation strategies.
• Implement a minimal rights policy for the access to any system or the data infrastructure, and then define where rights are granted based on the provision of the correct credentials.
• Protect sensitive data through encryption and control access.
• Segment the network infrastructure and provide multiple layers of security.
• Provide guaranteed service levels for the recovery of services for a range of threat levels and for key risks (such as DDoS, malware, and large-scale data loss). These should be measured in times to recover the service, and in terms of their impact on the patient pathway.
• Provide an open review of the current architecture for health and social care, and understand critical points of failure.
• Provide funding support for innovation within an overarching health and social care architecture, and which is defined by a centralised trust and governance policy.
• Centralise trust, policy, governance and consent within a secure and robust management infrastructure, and support with 24x7 monitoring and incident response teams.
• Train staff for scenarios for awareness in coping with Cyber Security threats, including for large-scale power loss, denial of service, malware spread and large-scale data loss.
• Move towards a virtualised infrastructure, and do not allow any unpatched computers to connect into the NHS networked infrastructure.
• Implement penetration tests, and technical audits for the NHS from external agencies, and identify weaknesses. This can provide a rating system for key services.
• Provide an open forum for the discussion of ideas for cyber security within the NHS.
• Identify legacy systems and migrate towards modern practice, including with the usage of VPNs and multi-factor authentication.
• Build systems based on a white-list of trusted systems, and where all other connections and systems are not trusted.
• Support external scans of NHS systems for attack routes and data exposed to the Internet.
• NHS should support full failover support, including for warm site support (with backup systems ready for operation within less than an hour) and for cold site support (the complete rebuilding of key infrastructure on a large-scale outage).
• Implement scanning of networked traffic for known malware, and block access to known malicious sites, such as for Tor traffic.
• Create a formalise policy infrastructure which maps systems and people into roles and then maps these roles to the rights of access to systems and services. Access to systems will depend on the provision of the correct identity attributes, otherwise there will be no access, by default.

The main lesson we have learnt from the ransomware attack is that there is a complete under investment in the delivery of an IT infrastructure in the NHS. The days of technicians plodding along with updates for desktop computers have gone, and centralised security policies and updates are a core part of most modern infrastructures. The concept of segmentation and defence-in-depth of part of the networks, too, are all a core part of a modern architecture, especially in making sure that key services keep running.

But all along we need to remember that we want to make the patient journey as safe as possible, and to make the best use of the precious resources.

With GDPR coming up, organisations such as the NHS will have to be more transparent about their infrastructure and the practices they use, as a large-scale breach could result in significant fines. Only in the NHS could we see over £15 billion spend on an IT infrastructure (Connecting For Health), and for nothing to result.

The under investment in health care IT in the UK, will not be fixed by purchasing lots of new computers and upgrading their operating systems. The infrastructure needs a radical redesign of health and social care services, with a long-term commitment from Government to use the best practice from industry and apply into health and social care.
The lack of integration across the different stakeholders involve with health and social care is one thing that needs to be addressed in any new plan, and how we can still respect the rights of privacy of individuals, but understand how we can best use data for their care and support.

In health care, especially, we have to be more open about future plans, and have a continual modernisation plan which more tightly integrates disparate systems, and brings them together in a secure infrastructure, while looking towards the future of on-line provisions. The citizen should be at the centre of this design! 

At present the NHS struggles to cope with creating a fit-for-purpose range of services for its own staff, and the concept of the citizen being part of this is still something which it is struggling with. Resilience, too, will be a core element, as a loss of service could lead to a loss of life.
After the recent headlines, it is now time to take stock of the current state of cyber security within health care, and look at new ways of improving the access to health and social care systems.

Cyber Security thus provides a core part of this, especially in creating trustworthy systems which put the citizen at the core. We must all take a part in supporting these developments, and allow data to flow, while minimising risks of data breaches and outages.