At a recent edition of HTN Now we were joined by Tej Gudka, Head of Cyber Security at NHS Arden and GEM Commissioning Support Unit (CSU), for a discussion on the importance of cyber security.
To begin, Tej offered context around importance of cyber security by examining recent news headlines regarding the issue, such as the hacking of former Prime Minister Liz Truss’s mobile phone. He noted that healthcare organisations in the UK can experience “over 700 attacks a week”.
Tej added that the COVID-19 pandemic brought more challenges in this area, with an increase in working from home and more flexible working hours leading to an increase in distractions plus a greater use of digital tools and devices. “All of these together pose a bigger cyber threat on IT infrastructure,” he said.
He described how there are three key elements that offer effective cybersecurity resilience: people, process and technical control. Tej described these as key areas which need to be “tackled holistically to improve cyber defences of organisations and individuals.”
People
Tej highlighted that there are “over a million people working in the NHS, all with varying levels of digital skills, working in completely different environments”.
Cyber security is a collective responsibility, he said, affecting everyone from larger trusts to smaller GP practices and to an extent the voluntary third sector.
“What we need to do as organisations and individuals is to empower the end users who are using our system to make sure they understand the importance of good cyber hygiene,” he said. He broke this down into four key themes: training key staff, awareness and education, changing culture and compliance with processes.
With regards to training key staff, Tej recommended targeting training at specific areas. Boardrooms, for example, “have a pivotal role in cyber security – it’s really important that they fully understand what risks there are to organisations.” He suggested taking a holistic view of this and trying to speak to the whole board as a group. “There is a requirement for NHS organisations for boardrooms to have annual cyber training and there are some toolkits available on the NCSC website to support that,” Tej added.
He also highlighted the importance of providing training in different formats – “not just a one hour session once a year, but to provide information via video, podcasts, intranet, in person. Also, you may be able to get more interaction from people when you’re in their environment, where they feel comfortable.”
For the next area, awareness and education, Tej noted that there are more training packages widely available through NCSC and NHS Digital. “Storytelling is so powerful,” he said, highlighting the value explaining why something is important, relating it to what is in the news and what it means for healthcare. When people are fully conscious of their roles as custodians of this data and the value it has, it reinforces the importance of maintaining good cyber hygiene.
With regards to changing changing culture, Tej noted that this has to come from the top and that it’s important that people remain “open, honest and reflective, making sure that we encourage reporting – ringing the service desk when they do have an issue, making sure the service desk staff have the right training material or guidance themselves to offer one-to-one incident training.”
It’s also about learning from experience, Tej noted. “As a team, and as an organisation, we have a monthly cyber committee where we look at lots of information from operational statistics and also feedback from customers to make sure we learn from experience and see how we can better help people in making good choices.”
When it comes to compliance, Tej acknowledged that there are a lot of processes that people are asked to follow, but emphasised the importance of ensuring that they are being adhered to nonetheless.
“There are always going to be exceptions,” he said, such as machines that are not turned on or people on long-term sick or maternity leave, who have their laptops with them. Those laptops are not being patched, but they are not a risk as they are turned off. In these cases, Tej stressed the importance of making sure that “we have a really clear process of how to exclude those situations and ensure that when they do come back, they have some onboarding process to ensure they are updated as soon as they see the network.”
Tej also commented on user accounts. “Privileged access is a huge area,” he said, “and it’s really important that those accounts are guarded well. That could be through technical controls and processes, but I also believe in audits and checks as well.”
Along the same lines, Tej recommended a check on weak domain user passwords and password re-use.
Processes
Next, Tej moved on to discuss standards and reviews. The NHS and any organisations that work with the NHS have to meet the standards in the Data Security Protection Toolkit (DSPT), he noted, along with Cyber Essentials Equivalence.
A recent conference provided the update that next summer will bring “quite drastic changes” to the DSPT. “They’re going to be starting to use something called the Cyber Assurance Framework, version 3.1,” Tej explained. “It’s very much an NCSC-driven, government-based standard or framework that I think the NHS are going to be adopting more and more.”
Tej emphasised that policies must be “easy to understand and to find, and they have to be up-to-date”, and that “the important thing is that you do test them.”
You might have a process and a policy that are up-to-date on paper, he added, but it’s also vital to get people together and enact some scenarios. Doing this ensures that the procedures and policies are workable and address the risks and potential threats to cybersecurity. Tej recommended the NSCE’s “exercise in a box” as a “good opportunity to try some of these things”.
He drew attention to the need for regular auditing as a way to make sure that the policies and procedures in place work and are successful. Audits can highlight any potential changes that need to be made, which could involve talking directly to teams to ensure that they understand the importance of their roles within this. “If there are risks found,” he said, “the risk register needs to be updated and the scenario needs to be cited and signed off.”
At Arden and GEM, Tej continued, they work closely with customers to make sure regular vulnerability scans are completed using standard industry tools. He noted that there are central tools like the vulnerability management scanning solution which is offered through the NHS, and added that the NCSC offers systems such as the web check and early warning service.
“It’s becoming more and more important that you enrol into these services,” Tej said, “so that you get daily if not hourly updates on any changes or areas that are weak.”
Technical
The technical side applies more to organisations than to individuals, Tej said, but there are a “plethora of really important facets to ensuring good cyber hygiene and a lot of that comes from preventative measures.”
Firstly he highlighted the role of patching. “It’s really important that end users are encouraged to reboot machines and that there are robust checks and processes in place,” he said. “It can feel like every day that we get notifications from organisations and suppliers to say that they have updates available for systems. IT teams up and down the country are readying these and ensuring that they are included in update cycles that they have for end devices, servers and networks.” That end users and organisations do complete these updates is key; Tej encourages all staff members to reboot machines regularly.
Next, the conversation turned to multifactor authentication methods. “For Arden and GEM staff members, over the last two months, we’ve asked everyone for their NHS mail account to enrol them into the multifactor authentication solution,” Tej said. “I’m really pleased to say that over 90 percent of end users have now done this and we’re working with HR to find out how we can resolve any issues for the last 10 percent.”
Turning to hardening measures, Tej said: “If there are any weak cyphers that are being deprecated, it’s really important to manage and monitor those, mitigate any risks, and where possible, upgrade to a stronger cypher.”
Ultimately, Tej said, there are three facets around the technical side of cyber security to bear in mind. “You might put a technical control in place, for example for an antivirus,” he said, “but it’s vital that you have processes around that to ensure daily checks. And if it goes outside of known target metrics, it needs to be escalated and resolved.”
Advice to minimise cyber risk
Tej then moved the session on to offering tips and advice for staff in order to minimise cyber risks from an individual perspective:
- Choose longer, memorable passphrases and use them only once. “We’re not close to a password-less society just yet, and the way we use our passwords is really important,” Tej said. He recommended using a “three-word passphrase over a password – it’s easier to remember so we can use a much longer password.” When people use hacking tools, he added, it is believed that anything over than 12 characters is much harder to crack. The other main advice here is not to re-use passwords, as it can compromise a number of accounts.
- Restart your computer regularly. “I’m encouraging all staff to reboot their machines at least weekly to ensure that the patches are applied to their devices.”
- Act quickly if you think your device or account has been compromised. “If you do see anything untoward, it’s really important to report it. There are so many opportunities that we have as teams to act quickly if people contact the service desk… just by changing the password quickly, you may limit the access a bad actor has on the system and potentially eliminate the risk all together.”
- Listen to your gut. If you receive an email from someone within the organisation, asking for a task that they would not normally ask for, it is important to listen to the little alarm bell in your head, Tej commented. He advised taking the time to pause, assess the email, and verify the task or email in a different way if possible in person or through another method such as via a phone call.
- Prioritise your main device. “Many people have access to different systems now, and mobile phones are much faster and can do a lot more,” Tej said, but people should retain the use of desktop devices where they can as these tend to have better security measures in place. In applications such as Outlook, for example, phishing is a major risk concern, but the desktop application has “much more guidance on screen, so if you don’t get many emails from a specific person it will show that – it will ask if this is someone new, or ask whether it is a spoofed email address.” In addition, he said: “Some of the desktop machines have antivirus disk encryption that is connected to central systems; they have a lot more protection than tablet devices running on Wi-Fi.”
- Consider the ramifications. “We deal with sensitive information in our roles and we have a level of responsibility as custodians and users of systems,” Tej said. “It’s important for us in the NHS to defend as one, to think about how that would affect our lives if that account or information was compromised.”
Bringing his session to a close, Tej re-emphasised that cyber security is everyone’s responsibility. Cyber threats to healthcare do happen almost daily, he said, and can affect patient care. The responsibility of keeping good cyber hygiene does not rest solely with IT systems and services, but should be a collective effort.
Addressing the need for growth in digital skills, Tej highlighted how Arden and GEM CSU has tackled this. They have invested in digital-focused skill growth, recruiting two IT security engineers which has given them “an opportunity to learn and for IT security managers to really support in mentoring and in giving them the skills they need to become the security professionals of the future.” He encouraged more trusts to follow suit and invest in building digital skills internally, to reduce cost and to invest in their own people who share their ethos and vision.
Tej concluded by encouraging NHS trusts and other healthcare organisations to run a campaign centred on cyber security, and signpost staff to resources and information for training purposes such as the NHS Cyber Associates Network.
At that point, Tej took part in a question and answer session which can be viewed on the video below from 34:58.
Many thanks to Tej for taking the time to join us.