For a recent panel discussion on the topic of clinical continuity and cyber resilience, HTN was joined by experts from across the health sector, including Alan Simpson, CISO at Rapid7; Stuart Cooney, CTO at Royal Berkshire NHS Foundation Trust; and John Mitchell, assistant director of digital at Humber and North Yorkshire ICB.
Our panel considered the evolving threat landscape, current capabilities, emerging technologies, and best practices for ensuring resilience both now and in the future.
Stuart took us through his role at Royal Berkshire, serving about 500,000 patients and 9,000 members of staff. “My role is really to lead on the technical aspects of the trust activities,” he elaborated, “across the development teams, infrastructure teams, security teams, and operational teams – it’s a broad and substantive role.”
Formerly a global security operations manager and head of information security at a number of different organisations, Alan talked about his journey since joining Rapid7, a company providing exposure management and managed detection response services around the globe. “We’ve been in cyber security about 26 years, so we do know a thing or two about it, but we’re always learning and looking to learn from our customers and other people’s experience,” he said.
“As an ICB, we commission our providers to deliver care services on behalf of our population, but we also sit at that system level and convene conversations across partners to try and take them in the same strategic direction,” John shared with regard to his role at Humber and North Yorkshire ICB.
Getting ahead of the changing threat landscape
“The threat landscape has fundamentally shifted over the last few years,” considered Stuart. “I think we’re moving away from the more isolated cyber attacks and incidents to something much more industrialised, with attackers using more automation, AI, and shared tooling that enables them to do things at scale.” The other thing that has changed is that the attack surface has widened for the NHS, now incorporating “very complex” ecosystems with supply chains, cloud platforms, and digital services. Getting ahead requires a mindset shift, he argued, adding: “You can’t just focus on prevention any more; you have to assume you’re going to be compromised, and design everything under that assumption – lots of investment in identity security, real-time detection – telemetry is everything, and it’s all about how quickly you can respond and restore services when you are compromised.”
Alan shared observing more of a shift toward disruption as a motive for potential attackers, including toward critical infrastructure such as healthcare. “It’s no longer purely about other criminal activities, it’s now the disruption of operations, and more so than ever, visibility is absolutely key,” he acknowledged. “It’s Stuart’s point about the attack surface changing, but also having a clear picture of the organisational context around where the most important parts are, especially when we look at the NHS, where patient safety is central.” Understanding what could potentially break those systems, processes, and workflows, is integral, he added.
Moving away from a mindset built on siloed organisations is important, John told us, pointing to the use of the phrase “defend as one”, which has seen NHS Enlgand gravitating more toward the provision of centralised support. “We need to come together to make sure we understand that we are only as strong as our weakest link,” he suggested, “and work alongside each other to make sure we’re as bolstered as possible, aligning strategic bids to get the best possible value, using both local and national intelligence effectively to know what tech or solutions will offer the highest level of protection.” Part of that is ensuring everyone is working to safe minimum standards, supporting partners who are struggling, he continued. It will also be integral moving forward to navigate the changes happening with staffing carefully, to avoid “leaving lots of back doors open”.
Challenges
The greatest challenge facing healthcare organisations at the moment is the testing piece, Alan shared. “It’s having that understanding of where the handoffs are between different parts of the organisation, and having those processes down, really embedding what that recovery looks like, but also being pragmatic and looking at priority applications, services, critical systems, or processes to get back online.” That means taking a step back, he noted, and looking at what is going to be most important to the patient and those on the frontline.
For Stuart, the biggest challenge comes back to complexity, with the health sector being home to a mixture of legacy systems, modern cloud platforms, and a wide supplier base, serving to increase the attack surface. He also expressed concern about the pace of change, and how quickly attackers are able to innovate using things like AI. “I think many organisations are struggling to keep up,” he said. “There’s also a workforce challenge. We just don’t have enough skilled cyber professionals, making maturing our capabilities more difficult. As John said, that’s where sharing knowledge and best practices is hopefully going to help out.”
“There are two critical issues that I’m trying to get my head around at the moment,” John highlighted. “Firstly is that funding mechanisms don’t meet the need as we move to highly revenue-based, service-led infrastructure – when we put bids in, those are for one or two years, when we could do with guaranteed revenue funding for a lot longer. The other thing is just mindset shift to focus on the needs of the collective, rather than individual organisations.”
Emerging technologies
Emerging technologies such as AI can both help and hinder future cyber resilience in NHS organisations, according to Alan, speeding up attackers’ work to exploit vulnerabilities, but also having the potential to be used in defence. Organisations should be looking at patching processes, reducing attack surfaces, devices on networks, and reducing technical debt. “AI can help where capacity is lacking,” he said, “but that can be a double-edged sword in possibly reducing pathways to having experienced analysts and security teams. I think a lot of teams are monitoring that, and it’s about how we bridge that gap.”
“We’re undergoing an operating model change at the moment,” Stuart shared, “and we’re using a hybrid approach to build our capability and get around cost, using our internal cyber team, an external SOC giving us 24/7 visibility, and then the NHSE central SOC. I would never be able to fund a security team internally that would meet our needs and give me the ability to sleep comfortably at night, so I think the blended approach is the best option.” IoT and cloud are massively expanding the attack surface, and every connected device or API becomes another entry point, he contended. “Looking ahead, what do we do when quantum computing starts cracking all encryption? It’s an arms race, and attackers are moving faster than before, using better technology, which means cyber security professionals are having to use better technology just to keep up – it’s definitely a scary and interesting time.”
From an ICB perspective, it’s slightly different, John told us, with Humber and North Yorkshire deciding to maintain its digital leadership, SIRO, and DPO responsibilities, but to outsource technical delivery to a trusted IT partner across both corporate and primary care services. “A major challenge given the speed of change around emerging technologies is how we keep our user base up-to-date, and how we encourage them to take responsibility for their own digital hygiene. An example is when ChatGPT was first launched, and people were feeding it sensitive information without full knowledge of what they were doing. We shouldn’t hold back from innovation, but we need to be sure we take our workforce with us.”
Alan agreed with Stuart’s recommendations about having a blended approach, also highlighting the benefits of bringing on a trusted partner who is focused on keeping on top of technologies as they evolve, and who has the economy of scale to do that. “Another element is knowing what data has been taken, if you have had a breach, and how long that stays relevant for,” he continued. “It’s back to fundamentals about data classification and understanding what you have.”
Workforce
Looking at workforce and cyber literacy, John recommended starting at the top. “If your board doesn’t understand the risks of everyday cyber now, you’re always going to be struggling to get headspace throughout the entire organisation,” he noted. “We need to ensure we’re getting our mandatory training correct – is it still acceptable that that should be a once-a-year exercise involving ten simple questions that can easily be searched online? There’s something about how we make sure people are encouraged to take personal responsibility for their own development through mandated processes, until it becomes part of the everyday culture.”
Moving forward, there’s a need to do more things like phishing campaign tests and exploring other ways of boosting cyber awareness, Stuart suggested. “It’s the responsibility of everybody in the organisation to be on their guard for it, and we’re just looking at how we can provide those tools to help them to do that.”
Alan pointed to the impact of having an open environment for cyber security where people can ask questions or address any concerns, as well as communicating well about the use of AI tools and the risks they pose. “Education is really key, and having that open forum where there are no incorrect questions, rather than a top-down approach is central,” he shared. “It’s also having those tangible examples or resources that people can check easily before they do something.”
Supply chain
Managing the supply chain is a “huge challenge”, John discussed. “There are things that need to happen nationally about making sure national contracts are appropriate, but also locally in making sure we’re defining the right standards for our suppliers to work to, with regular assurance, audits, maybe spot checks, to keep in touch and talk to them about what’s going on.” It’s integral to check there are no single points of failure throughout the supply chain, he continued, “and the better you can make your relationship with those suppliers, the more likely you are to have that honesty back”. Humber and North Yorkshire ICB is now making it a contractual element for its providers to be in control of the supply chain, he added.
“You need to treat suppliers as an extension of your organisation,” recommended Stuart, “meaning setting clear security expectations, baseline controls, assurance processes, visibility of risk, and so on. It’s not just signing the contract, it’s about ongoing engagement and monitoring – not all suppliers carry the same level of risk, so focus your efforts where it matters most, narrowing down those that could potentially cause significant damage.”
Moving beyond just annual questionnaires is key, Alan agreed, “but when you’re looking at tiering suppliers you could struggle, because you might have Microsoft down as a tier one supplier, but from an assurance perspective everything is pretty public, you’re not going to be able to audit, and so on”. In other instances, criticality or risk might seem low, but an organisation may be relying on old systems or using remote access, posing a much bigger risk than you realise, he shared. “It’s reviewing those lists and being more upfront about where it’s best to spend the time on different suppliers.”
Prioritising cyber resilience
There is value to be had from tabletop exercises, whereby a scenario is played out around a certain supplier or system no longer being available in the event of a significant incident like a cyber attack, Alan said. “That could just be a short, sharp exercise to get people thinking about where the break points are in their process, where that redundancy is needed, and then building out from there.”
Cyber should be treated like a core business function, rather than an IT function, stated John, so conversations about cyber are no longer seen as IT risks, but board-level risks. “We no longer talk about security controls, we talk about operational continuity. We do an annual desktop exercise, and there’s a real benefit in engaging with our regional cyber leads to help coordinate that – they have the high levels of skills, and they can really help you target that to the right place.” There has been a notable increase in the amount of comms and alerts going out nationally detailing emerging cyber threats, he considered, “and we’ve got greater shared intelligence now than we’ve probably ever had”.
Stuart spoke of feeling “reassured” by improvements to capabilities, controls, and telemetries: “We are immediately aware when NHSE sends out alerts that we need to act on, and we have very strict requirements to do that. It goes back to my point about the arms race. We have more knowledge, more telemetry, more tools than ever before, but so have they.”
Looking ahead
Our panel moved on to discuss priorities around cyber resilience in the short, medium, and long term, with John indicating short-term priorities around getting the basics right, collaboration, and agreeing on things like patching processes. “You can then build on those foundations with staff awareness, recognising that in three-to-five years time, the advanced stuff will then become the basics,” he said. “I would like to see the overall digital maturity of the workforce raised as well – there’s only so much technical and cyber teams can do to protect, so we need to make everybody aware of the consequences and responsible for their own cyber hygiene.”
Alan reiterated the importance in the short term of visibility, understanding what you have, and where the gaps are, before moving into the longer term and building that out to continuous threat and exposure management, keeping on top of what needs fixing or changing as technology evolves. “In the short to medium term, I think we’ll see the rise of integrators within information security teams, connecting things like AI tools in a secure way.”
“I think the shift to community in the 10-Year Plan fundamentally changes the risk model,” explained Stuart. “Traditionally it’s been centred around closed networks, hospitals, and relatively controlled environments, but when pushing that out into people’s homes, community hubs, digital channels, that creates really important implications. Instead of securing single organisations, you need to secure distributed ecosystems covering GPs, community teams, third-party apps; you have to start looking at things such as identity being the new perimeter.” Skills around identity and access management, as well as network security skills, will be key for NHS organisations to prioritise in the next couple of years, he predicted.
“The bit that we all need to get our heads around is the patient’s home environment, and how we can make that a safe extension of our own networks,” John noted. “There will be tech solutions for that, it’s just something else we have to think about – a person’s home will never be as secure as a hospital ward, but we need to deal with that as a team and have trust in those around us to ensure we’re all doing that.”
We’d like to thank our panel for taking the time to share these insights with us.
