For our latest panel discussion, we explored cyber resilience within the NHS, focusing on some of the strategic challenges in this area around preparedness and recovery. Our panellists also discussed how to embed resilience into clinical, technical, and governance frameworks and make cyber security a priority across the healthcare sector.
We were joined by Hubert Ametefe, CISO at Bedfordshire Hospitals NHS FT; Mike Fell, director of national cyber operations at NHS England; Julian Wiggins, healthcare solution director at Rackspace Technology; and Nasser Arif, cyber security manager for London NW University Healthcare and The Hillingdon Hospitals.
Cyber resilience strategies for healthcare organisations
Our discussion began with our panellists sharing their insights into the strategies every organisation should have in place. “I would start with a more philosophical approach,” Mike suggested, offering the NHS England perspective. “Security and resilience need to be a journey, not a destination. There should be a ‘plan, do, check, act’ element involved, where you set out the standards or framework, do a gap analysis against that, perform checks such as pen tests, gap assessments, risk assessments, or red teaming, depending on how mature your organisation is. And when an incident does occur, act and then learn from it. This will usually provoke a new programme of work designed to harden and make the organisation more resilient. That type of lifecycle should be at the heart of your strategy.”
Mike also highlighted the importance of putting patients at the centre of a cyber resilience strategy and making sure all key players are involved from the start. “We need clinical and the business owner on board because they’re the ones that can make the hard trade-offs and set the requirements on how hard to turn that security dial. Of course, we can turn the dial really hard, but that’s not a strategic approach.”
Offering the supplier point of view, Julian agreed with Mike’s sentiments, especially around viewing the strategy as a journey. He noted how quickly things can change within the cyber industry, stating, “I’ve been working in this domain for quite a while now and I remember when we used to do things that we thought would be impenetrable and then months or years later they were no longer gospel.” Because of this rapid evolution, Julian explained how “your ability to understand the domain you’re working in and adapt to it as much as you can within the constraints of your business is key”.
He went on to emphasise the need to understand budgeting requirements and where the risks lie within your organisation specifically, in order to inform how and where to make the right investments. “As professionals, we need to spend our organisation’s money wisely,” he said. “We need to assess the risks carefully and we need to make sure we’re helping our stakeholders make the best decisions.”
Julian’s final point focused on the resilience of organisations after a cyber event: “Whenever you visit somebody who has had a cyber event and they’ve been knocked over and the system’s been taken away from them, it’s important to look at the creativity and the innovation that’s been used in order to achieve that sort of event because it’s impressive. So, the tenacity and the resilience of organisations that are able to recover from that is impressive too. I think we need to keep that in mind as we work in this challenging time.”
For Hubert, “Resilience is about how quickly you get back up after being knocked down. One of the key aspects of this is knowing your environment and knowing what you have so that you know how to support the organisation from a cyber or technical point of view.” As an example, he suggested looking at the tools in place that might be complicating things, noting, “sometimes simpler is better”. Hubert also mentioned having a clear response plan in place that’s easy to follow, not just from a digital or cyber perspective, but from the trust itself. “Take pharmacy, for example, do they have a business continuity plan that they can fall back on if needed? Working with the various arms of the organisation to coordinate a plan is key.”
Nasser then gave his perspective on developing a cyber resilience strategy. “My focus is on day-to-day resilience,” he said. “And every day we get different kinds of alerts. We have different challenges, different projects and different workloads. And that’s what drives much of our strategy. Of course you have the wider picture, but the simple, day-to-day incidents are important too.” To further explain this, he used the example of a phishing email, indicating how this can help to highlight gaps: “How does the team actually respond to it? Is there a massive reliance on external SOC or any other teams? How can we triage things ourselves? That’s where I’ve tried to make changes.”
Rectifying minor incidents is a key part of your resilience strategy, Nasser said, “It might not sound very exciting, but those small incidents can often lead to something bigger. So if your teams aren’t able to handle those, then the wider resilience plan will fail.” He shared one of the key benefits of having a team that’s able to understand and deal with various incidents, no matter how severe: “Because it’s been embedded in them from day one, suddenly the severity isn’t throwing people off and people aren’t panicking because we’ve already built up our personal and professional resilience.”
Key learnings and practical wins
Nasser’s comments about celebrating smaller wins in cyber resilience took the conversation in the direction of practical learnings, with the panel sharing wins from their own experiences. “I think the theory is very different from the reality and that’s what makes this hard,” Mike said. “The things that are most successful in stopping these attacks are the hard, foundational IT elements. And that includes really highlighting the criticality of patching the most critical vulnerabilities and having effective IT lifecycle management, so that we don’t end up having out-of-support legacy IT in place.”
Another practical and critical win Mike explored was around identity, noting, “We tend to see things such as weak passwords. You could easily criticise the individual for that, but what you should really be looking at is why there isn’t multi-factor authentication in place. It’s about simplifying it all into things that can be acted upon.” With this in mind, he concluded, “We’re never going to be able to close every potential security risk, but what we can do is focus on the ones that we see time and again and train people to effectively manage incidents and make the right decisions when things do go wrong.”
On the point about training the workforce and working together to manage cyber incidents, Nasser noted the value of in-person meetings and building relationships throughout an organisation to help improve communication. “When something happens, whether it’s a critical incident or small incident, the relationships between various teams is crucial. Especially if they’ve never really worked together outside of a Teams meeting or an email. I know we all love sitting behind a computer screen, but sometimes it can be nice to step away and do something with your colleagues and just get to know them a bit better. Because when these types of situations occur, you really want to be on the same page so that things can move so much faster.”
Julian highlighted how important it is to make the distinction between infrastructure resilience and cyber resilience, noting how we’re “moving from a situation where periodically systems would fail to a new situation where systems have been maliciously altered to maximise the impact and make it as hard as possible to recover from that. It’s important to make sure you’ve got an understanding of that first.”
From his own experience, Julian shared how historically organisations have just added backups to their systems, hoping everything would “come back to life”, but for the most recent cyber events he has seen, “it’s quite quickly become apparent that backups were not the answer to the problem because the penetration had been at such a level whereby the impact was far wider”. A more practical approach, according to Julian, would be to “start considering the availability of an isolated recovery environment instead”. He added, “There needs to be a plan in place where, in the event of one of these systems not being available, you can still restore those critical systems.”
Adding to this, Hubert suggested adding backup testing to your strategy, sharing how his organisation has built this into their continuous compliance process to make sure backup systems are working correctly. Julian agreed that backup testing is essential for cyber resilience, stating, “A test that fails is still a successful test. It allows you to iron out the kinks because each time you test something, you’ll find something new to refine”.
Prioritising cyber resilience within the NHS
When asked how NHS England is supporting organisations with cyber resilience, Mike spoke in depth, stating, “From a national perspective, the strategy is to defend as one. And what that means in practice, is that we’re increasingly clear about when issues and risks are best handled locally and solutions are best designed, implemented and maintained locally, to then separate that from what is best done once on a national scale.” Affordability and limited resources are both reasons why issues may be tackled more on a national level, according to Mike, “or it may be down to the aggregation risk, where having visibility over the whole health and care sector, including all 80,000 suppliers, 200+ trusts and 1.5 million members of staff, allows you to spot anomalies that might not seem out of place for a single organisation”.
Delving further into the affordability side of things, Mike noted, “Ultimately, it’s public money. So it doesn’t make sense to look at cyber resilience at a regional or hospital level where you have to do the same thing multiple times. You do it once and you’ll do it more effectively.” He also mentioned how bringing in dedicated incident response teams can be a key differentiator: “Rather than expecting everybody to contract individually, we retain national solutions. That means there’s no delay between an incident being raised and the expert resource being on the ground.”
Strategic challenges
On the topic of strategic challenges for cyber resilience and recovery, Hubert also highlighted money as one of the core roadblocks for innovation and development, before moving on to discuss workforce challenges. “For us to be effective in recovering or responding, we need to have people who understand what it is they need to do. And that comes down to training, technical competence and communication.”
He went on to explain some of the ways this is being tackled within his own organisation: “We’ve embedded cyber within our technical team. That means the infrastructure team has access to our cyber tools, while at the same time, we can join in with their projects, creating a free flow of information.” Hubert emphasised the need for a strong relationship with other teams as well as with suppliers in order to tackle strategic challenges. “It’s not just a form-filling exercise or a supplier telling me what they’ve done; we have frequent conversations so that we can build that relationship. That means whenever a problem occurs, we don’t have to try developing a relationship under fire because we’ve already developed that rapport.”
On the relationship between the supplier and the organisation, Julian said, “As a supplier looking to support the healthcare service, we need to exhibit all the correct diligence with regards to our own infrastructure on our own supply chain, but specifically with regards to providing services that are designed for the healthcare environment.” With this in mind, he shared how Rackspace has been focusing on sovereign services, having a team in place who are dedicated to delivering UK-only services for specific sectors, such as government, healthcare and law enforcement. “Within that team, there has been a level of specialism over the years to ensure we’re focusing on the low-hanging fruit around in-life hardware, up-to-date patching, password rigour, robust backups, etc.”
He concentrated on the importance of working together, explaining, “We’re working with our healthcare customers so that we can understand where the priorities are. That includes helping to build business cases and risk assessments to make sure any investments being made are being done in the absolute most efficient way possible. Because nobody has spare people, spare cash or spare infrastructure.” Julian added how Rackspace is “very keen to make sure organisations have the information they need at their fingertips so that when it comes to dealing with strategic decisions or investment decisions etc., we can provide you with good advice around what’s available in the marketplace, what’s available within our portfolio and more specifically, what would work for an individual trust depending on their digital maturity.”
Balancing efficiency with increased risk
When asked how to effectively balance the efficiency benefits that come from interoperability with the increased risk of attacks, Mike noted how the question ultimately gets to heart of the relationship between people and technology. “We, as security people, have a responsibility to start implementing secure-by-design technologies, approaches and principles so that new interoperable network systems constantly validate the security posture and the credibility of relationships with these increasingly integrated systems,” he said. “That’s a key part of the design – making sure that when things go wrong, the systems are truly resilient and segmented in a way that the blast radius is kept to a minimum.”
Although technology and interoperability have the potential to increase efficiency significantly, Mike noted how it can come at the cost of clinicians and organisations, which he said “has to be part of the calculation”. Expanding on this, he explained, “We’ll secure by design, but part of that is understanding what the minimum technology requirement is to keep a business going and keep clinical activity going when there’s no IT available. We’ll do our bit but what we need to get better at is supporting business owners and clinical owners in answering that question and preparing for what they’re going to do if these interoperable network systems are not available when they’re needed.”
For Nasser, “It goes back to how cyber security helps innovation instead of stifling it. When you hear that these systems are being connected, it can cause a bit of anxiety because you might not have the full visibility you’re used to in that moment. But at the same time, it’s important that you try to enjoy these types of challenges.” This is where the innovation comes in, according to Nasser: “When you get these complex systems all working together, that’s where you really start to innovate in cyber. Without them, you might not have the opportunity.” Explaining more on how this works in practice, he said, “You start to come up with new solutions to keep your patients safe, keep the data safe and work with the clinicians. Although it sounds like something that’s going to cause you a lot of stress and anxiety, having these type of requests actually leads you to do things on a much larger scale and it really gets you to think about your visibility and whether or not you can actually see everything you need to.”
Nasser emphasised the importance of working together, stating, “I’ve had many clinicians who have had some fantastic ideas and they’ve really been supporting these new systems coming in. Because of that, we’ve then found ways to mitigate other risks we might not have considered before and that’s what makes us innovate in cyber security. We can work together and help them find solutions which are safe instead of deciding we don’t like something because it’s new.”
In terms of the future of balancing efficient interoperability with risk, Julian suggested, “Over time, a lot of systems are going to become more and more interconnected. So, I think we need to focus on the quality of architecture, policy and infrastructure within these systems and make sure that they’re well administered. I know that’s easy to say and harder to do, but I think that will be the future for cyber security and innovation.”
Final thoughts
Our discussion ended with the panellists providing one key takeaway each. Nasser began by highlighting the importance of building relationships, stating, “If you don’t already know your cyber security team, find out who they are and see what you can learn from them. Something I’m very passionate about is making sure we change the perception of cyber security at my two organisations and across the NHS. We’re not the blockers; we’re there to help move things forward. So if you want to build those relationships or if there are any skills that you want to develop within cyber, remember that it’s accessible for everyone. Reach out and I’m sure we’ll find a way to upskill you.”
Mike echoed Nasser’s sentiments around upskilling, reminding the audience of the Immersive Labs cyber training platform, which is a free NHS resource allowing people to learn in a more immersive way. However, his main takeaway was around curiosity and understanding: “Ask yourself what you would do if you turned up to work and IT wasn’t working. Everything from the car park barrier to when you log in on your device would be impacted. Consider this and create a conversation around resilience and planning within your organisation. This will help shape the culture from the bottom up and sideways rather than it being from the top down.”
Hubert’s advice also centred around building relationships and forming open communication, but with one caveat: “Build relationships during peacetime first and then everything else should hopefully fall in place.” While Julian suggested focusing on education: “There are some fantastic training resources out there and I think we owe it to ourselves and our organisations to make sure we’re being as knowledgeable about this domain as we possibly can.”
To find out more about Rackspace Technology, please click here.
We’d like to thank all four of our panellists for their keen insights and contributions as part of this discussion.
