We were joined for a recent HTN Now webinar focusing on sharing best practices around cyber security, by an expert panel including Neill Crump, digital strategy director at The Dudley Group NHS Foundation Trust; Nasser Arif, cyber security manager at London North West Healthcare NHS Trust (LNWH) and Hillingdon Hospitals NHS Foundation Trust; and Martin Knight, privileged access management at Imprivata.
The session focused on key considerations for NHS organisations in their approach to cyber security, assessing cyber security maturity, good cyber security practice, the challenges in this area and tips to overcome them.
Nasser kicked off our introductions by explaining how he started out in cyber security five years ago as an analyst, before working his way up to his current role of cyber security manager. From an organisational perspective, “cyber is quite new to us as a separate function”, he shared, “so one of the challenges I’ve had is showing people we exist and what our remit is”. That remit covers day-to-day operations, cyber awareness, and a range of cyber projects across both LNWH and Hillingdon Hospitals. “I love cyber security,” Nasser told us, “and I’m really happy to be here as part of this discussion.”
Neill shared an introduction to say: “We’re in the Black Country, and we provide acute, community, and now primary care services, to a population of just over 450,000.” 25 years of personal experience across the commercial and public sector, in roles touching data, digital, technology, and cyber, has allowed him to gain a variety of certifications, he continued, including becoming a Certified Information Systems Security Professional, which he says “took some doing!”.
At Dudley Group, his role involves the design of the organisation’s digital plan, Neill shared, “which includes architecture, cyber governance, and analytics”. In terms of cyber, “Dudley leads the ICS cyber group”, he went on, “and we’re focused at the moment on forming the ICS cyber strategy”. Within the trust, there’s a focus on “the mantra that cyber is everyone’s responsibility, from the board to the ward, as well as matrix working across the digital, data, technology, and cyber teams.”
Martin told us about his role with Imprivata, focusing on privileged access management and “how we can control and manage that elevated account that’s used both internally and from third-party vendors; reducing some of that risk, and simplifying that process without restricting what users can do”. He shared hopes to contribute to the discussion around cyber security across the health system, “and the way that privileged access management plays a key role in that piece, as well”.
Best practices with measuring cyber security maturity
The first topic our panel tackled was around best practices in measuring cyber security maturity for health and care organisations, with Neill focusing in on pillar one of the National Cyber Strategy: “focus on the greatest risks and harms”. There is so much that organisations can do to improve their posture, he told us, “that you really need to get down to basics and understanding your maturity, so you can understand your readiness against those cyber threats and prioritise your approach in relation to the gaps you discover as part of that maturity evaluation.”
At Dudley, his team looked first at understanding their approach to risk management, according to Neill, “speaking to the board and getting an understanding of their requirements on oversight of cyber security risks, so we could be clear on roles and responsibilities”. The team at Dudley has also performed a risk quantification review, he shared, using a list of different risk-reducing cyber defence capabilities developed by the national team, “which allows you to quantify risk and then prioritise based on the likelihood of the cyber risk actually happening, or secondly to look at reducing the impact should that occur.”
A lot of people will currently be focused on the Data Security and Protection Toolkit (DSPT), Neill considered, “especially as this year it’s now linked to the Cyber Assessment Framework“. Those are key areas, he said, “where people are going through and understanding how the bar is actually getting raised”. Dudley has ISO 27001 accreditation, he shared, “and we do an audit every year, focused in different areas such as supply chain and network infrastructure, as well as undertaking regular penetration testing and instant response and resilience exercises”. In summary, there’s “a raft of different ways you can look at your cyber maturity”, he said, “so you can start to prioritise based on the greatest risks and harms.”
Nasser shared that LNWH and Hillingdon Hospitals have a similar approach, adding: “One of the first things I did when I took on my Cyber Security Manager role was to look at what we already had in place – not just cyber tooling, but also our wider digital tooling, and trying to measure how effective those had been so far, and how we were using them. There’s often a big rush in the NHS to get these shiny new systems in, but the danger we have is when we’re bringing in these complex systems and not utilising them fully.”
That means that when assessing cyber security maturity, “it’s important not only to look at what we’ve got on paper, but also to look at what we’re using in reality”, Nasser shared, “because I don’t think we’re digitally mature if we’re lying to ourselves and just assuming we’re doing everything correctly – we need to be really honest and have that open discussion to check (and verify) we’re actually doing what we say we are”. Whilst those conversations “aren’t always easy”, they’re very effective when it comes to identifying areas for improvement, he said. He also noted how those outside of cyber security can also have important views on “risks we might be unprepared for”, adding: “You should always leave the door open for colleagues outside of cyber to have their say.”
From his perspective with Imprivata, “it’s all about the people”, Martin said. “And for us it’s how we manage the identity that user is tied to, whether that be internal or third-party. A lot of the breaches we’ve seen over the last few years have come from that supply chain or that third-party solution, where you’re giving out elevated accounts to vendors, and then you have no control over who has access to that account, whether it’s being shared; and no full audit trail of what they did when they came in.” It’s about simplifying access for vendors “without giving them the keys to the kingdom”, he considered.
It’s also about ticking boxes across things like CAF and DSPT, and “how we prove there’s a full audit trail in place”, Martin shared, adding: “It can be a complex tool to manage, but if you try and start at person-level first, like with clinical staff, and trying to remove their need for a password, perhaps using fingerprints or facial recognition instead, that’s key. If we can remove the need for users to know passwords, it’s a lot harder then to be phished going forward.”
Basic steps to boost cyber security maturity
Looking to some of the basic steps that can be taken to increase cyber security maturity across healthcare organisations, Nasser told us how his team “started with the endpoint, which might be your standard trust computer, and just having a look at what damage someone could do on that”. During COVID, one of the issues his trusts faced was the sudden shift to remote working, he said, “and our laptops back then weren’t equipped for that radical shift”
To ensure you’re covering the basics, “you need to look at what harm someone could do with your organisations end user device”, Nasser shared. “It’s about looking at your digital estate and thinking what you would do if you were a threat actor and wanted to cause harm.” For example, stopping people from being able to visit phishing websites “means you’re preventing a lot of potential harms from happening through that attack vector”, he added.
“You’re absolutely right,” Neill agreed, “and I would also add the importance of focusing on identity and access management – I’m not just saying that because Martin’s here – it really is a critical area that Trusts need to look at, understand what their maturity is at the moment, and address it.” Dudley has spent “a lot of time” on privileged access management, he said, “making sure that if we’re letting people access critical assets like servers and endpoints, we’ve got those controls in place”.
Neill also highlighted two-factor authentication (2FA) as an area needing more attention. “We’ve made some great strides over the last couple of years,” he said, “however, we want to do that over the entirety of the estate.” That also links with the third-party secure remote access aspect of things, according to Neill, “because you absolutely have to have multi-factor authentication (MFA) there, so you’re sensitive to any issues which might be happening”. He also recommended looking to national guidance to help identify potential breaches around an organisation’s perimeter.
“Neill and Nasser have hit the nail on the head,” Martin said, “because it is about understanding the basics and what’s in front of you – digital identity is really key, because I’ve spoken to trusts in the past where some of their internal staff had four active directory accounts at different levels of elevation, and that’s not simplified for the end user.” The more tools you put in place to advance your security, he went on, “the more people you’re going to have trying to navigate around those, because they want simple access, and they want to do their job”. It’s about balancing simplicity, security, and cost, he considered, “and that is a golden state, because it’s very difficult to get to that point – you’re never going to get to that zero trust network, because the only way you can do that is by giving somebody no access at all.”
Developing cyber security strategy
Neill shared some details around his involvement in the development of an ICS-wide cyber security strategy, looking at the potential for collaboration under the mantra of “defend as one”. Discussions at the moment are focused around the “what” aspect of the strategy, he told us, before moving on to look at the “how”. The issue with this, he said, “is we need to continue increasing our cyber resilience now, so we need to get on with considering how we can actually get on with doing that”. The ICS has developed “task and finish” groups, he continued, “and we’ve allocated workstream leaders from each of the different providers, so we’ve shared that responsibility to make sure everyone is involved.”
The vision as it stands has been agreed as “championing a united cyber strategy for patient safety, trust and security, through dependable resilience and collaboration”, Neill shared, “which actually gives us some different strategic objectives: how we enhance our responsiveness and our resilience, how we cultivate a skilled workforce, how we achieve strategic alignment, and how we foster collaboration.”
Overcoming challenges around legacy systems, infrastructure, and more
One of the main challenges that accompany legacy systems in the NHS include that “many are running software no longer supported or no longer supported by the vendor – sometimes the vendor doesn’t even exist anymore”, Nasser told us. “Sometimes it’s on the network, and you discover it randomly, and you have to ask what it is, what it’s doing, and what it’s talking to. Because it’s legacy, the people who were supporting it, whether that be from the vendor or internally, have often moved on, so you’re left with these systems. There’s nothing wrong with them, they are working, but they’re not compliant with modern cyber standards.”
When tackling this challenge from a technical point of view, Nasser highlighted the importance of investing in “the right kind of systems” that give you visibility over things like medical devices and allow you to pick up from your network “some of these systems that you might not have seen before”, because simply put “if you can’t see them, you won’t know they are there”. The other key step, according to Nasser, is working on relationship-building within the organisation. “I love to talk to people,” he said, “and you find out so much from visiting different departments and just chatting to them – every department tends to have someone fairly technical, who isn’t really IT, but they know enough for the day-to-day fixes and system management. This kind of shadow IT is often frowned upon and seen as a threat, but I think if you identify those people, they can be a real asset for cyber security teams.”
Simply taking these legacy systems off the network “doesn’t take into account what they’re used for”, Nasser told us, “because they’re not being used just for fun – there’s a reason they’re needed, and by working with the clinicians you can figure out what you can do from a cyber security angle, which might include finding a suitable replacement”. His team have “got rid of a lot of legacy systems this way”, he went on, “and I think that’s the best way to deal with those systems, by being honest and having communication around them with the right people.”
Martin agreed with Nasser’s sentiment that “it’s about working with the people”, talking about the value of Imprivata having a clinical-based team who work directly with trusts and perform clinical walkthroughs. “We need to understand what people on the frontline are doing, how they’re using these systems, so you can really see what’s going on,” he said, “and I think a lot of cyber really does start with the person – understanding collectively what everybody’s doing and how they want to do their job. The walkthroughs with teams help to highlight where the gaps can be and how those can be filled, as well as how we can simplify the user experience and save time for clinicians on the frontline whilst also boosting security.”
“There’s a big programme of work that needs to happen to transition to modern infrastructure,” Neill said, “but looking at the short-term and things that are achievable in the current financial climate, I think key things are awareness and education, resilience and business continuity, and the supply chain. Those three areas don’t necessarily involve lots of additional financial investment.” Looking to awareness and education, “having a conversation with everyone at the trust about what cyber security is and trying to position it in their everyday life” is key, he shared, “because we can actually give them something that will help them in their personal life, and that in itself will help improve cyber awareness within the organisation.”
When it comes to improving resilience, Neill pointed to attacks that had been successful in disrupting operations in health and care organisations in the past. “We need people to be confident that when an attack does happen, they know how to recover,” he said, “and I think instant response type exercises, or basic things around understanding policies and procedures or how to prioritise your response, are key areas.”
For third-parties and the supply chain, whilst “there’s a lot third parties can do to improve an organisation’s overall cyber posture”, Neill recommends: “Ensuring we are having the right conversations, doing the right audits, completing the right service-level agreements; in order for them to recognise how they can better deliver their security, which in turn will provide the short-term improvements we’re looking for.”
Focusing on awareness and education
Sharing his team’s approach to promoting awareness and education around cyber security, Nasser said: “I felt like the mandatory training wasn’t enough to stop some of the behaviours associated with cyber risks, or to actually educate staff members on their personal lives, which is something I’m quite passionate about. Something I’ve done, especially at LNWH, is tried to humanise cyber. For example, we have an annual staff wellbeing festival, and for the first time ever I had a stand there, which seemed out of place initially, but I was spreading the word about cyber wellbeing and best practice.” For those who fail victim to cyber-attacks in their personal lives, it’s an “awful” feeling, he continued, “and it fits with the idea that with cyber, if you can’t protect yourself, it will be very difficult for you to protect the organisation”. If you can touch someone’s personal life, “that really pays off”, he added.
Activities such as webinars, lunch and learns, holding sessions on safety when online gaming, and launching a cyber champions programme, are just some of the ways Nasser has aimed to increase cyber awareness and education amongst staff at his trusts, he shared. “These are all optional activities,” he said, “but they’re to inspire those who have a little bit of interest in cyber, because once you tackle them, they then pass that knowledge into their teams, so for example if a phishing email comes in, they’ll let me know, but they will also send an email to their whole team to tell them not to click on the link.” That is “way faster” than anything that the cyber security team themselves could do, he considered.
Tips for maintaining cyber security during procurements
Nasser moved on to consider some tips for maintaining cyber security during the procurement process, both within cyber-specific procurements and in general. When you’re looking for a cyber product, it’s important to know the market, he said, “talk to different vendors – even if you’re not planning on procuring certain systems, just maintaining that knowledge of what’s out there is so invaluable”. By learning how certain products work, and building those relationships with vendors early on, “you get a good idea of what works for you”, he went on, “because not every product is fit for every organisation”. Learning from other trust’s experiences is valuable, he considered, “but don’t fully rely on that, because their environment might be totally different”.
The other side of procurement, around clinical systems, is “when risks start to come in”, according to Nasser. “You might have something that’s amazing for your clinicians, and they want that ASAP, which puts you under pressure in cyber to get that across the line,” he said. “One thing I’ve learned is not to be the blocker all the time – if there’s a new system, run it through the usual checks, check it meets the right assurance, and so on, but instead of just shifting all of the ongoing responsibilities to the supplier, I think we need to internally be a bit more proactive.” What that might mean, Nasser continued, “is not assuming that because a supplier has ISO 27001 we can stop following up – we still need to do constant checks on suppliers to see what they’re doing and whether they’re maintaining compliance.”
Balancing innovation with cyber security is challenging, Neill told us, “as we’re in this cycle at the moment where we can really improve patient care using digital methods, and I think the next two to five years could be incredible, so we do need to have good conversations about that, and we also need to ensure we have a lot of rigour, like Nasser said, when it comes to post-procurement.” At the moment, all of this work is being done individually, he continued, “but one of the opportunities within our ICS cyber strategy is to actually collaborate on those activities, which will make it easier for suppliers, because they’re not having to do things for every single trust within our ICS; but it also makes it easier for us, as we can dedicate the time and resource needed to get the outcomes we’re looking for.”
Once that work is done, Neill said, “we’ll then be able to talk about roadmaps and how third-party suppliers are actually going to improve during the lifecycle of the project, as well – we had that recently, where MFA wasn’t part of the suite, and we talked through the rollout and got that added, so we got the assurance we needed.” That was a “win-win”, according to Neill, “because for the supplier, when they then go to other Trusts, they will already know to have that in place”. When it comes to legacy systems, “we need to start going back through all of our suppliers and checking the risk”, he added, “because that helps you prioritise the digital transformation and drive those conversations with those on the frontline, so we can make the transition to modern applications and infrastructure.”
Going back to Neill’s point about doing things at an ICS-level, Martin agreed that this would save time from a supplier standpoint, and pointed to the opportunities that this approach offers for knowledge-sharing. “It’s trying to put those best practices in place, because systems and products can often be implemented in so many different ways, and it’s trying to find that balance and simplicity to help meet the limitations around staff time internally, as well, when it comes to managing something or running that,” he said.
Martin also highlighted Nasser and Neill’s points about the constant reviewing of tools and solutions, “because things change, workflows change, people change, businesses change – just because it’s correct today, doesn’t mean it’ll be correct tomorrow, so having that constant evaluation in place is key across the market.”
Where does the NHS need to be in 1-2 years to improve cyber security?
Answering a broader question, panellists considered where the NHS needs to be in the next 1-2 years to improve cyber security and maturity levels across the board. “In my opinion, cyber security still needs to be fully recognised and understood as a profession within the NHS,” Nasser told us, “because I think the NHS is very aware of the threats we face in the health sector, but we still need to better understand the people within cyber security and the specific roles that are needed and know wherecyber security sits within an organisation.” Tackling that and getting a better understanding of what is needed in terms of the people over the next couple of years, would “put us in a much better place”, he added.
Recruitment and retention is a known issue for cyber, Nasser continued, “and part of NHS England’s strategy is to improve that, but I think one way we can do that is to look internally within our organisations and see where we can bring in that talent, who are already on board and wantto work in cyber, to give those people an opportunity to contribute.” Reporting on his own experience of doing just that, “it’s working quite well”, he observed, “as you never know what you’ll find. I wasn’t always an IT person – it took somebody giving me that chance.”
“One thing that we’re headed towards is more convergence,” said Neill, “so we’ve talked about how we do things better at scale – the same thing is happening across the organisation, like in our operations teams, because they’re setting up elective hubs with multi-provider delivery, and that will mean that we’ll start converging systems like EPR, which itself poses a risk.” Getting the funding in place is essential, he went on, “in order to deliver cyber resilience at scale, including the tools, the skills, and the technical bits.”
We’re “moving to a different place”, Neill considered, “and we need to work out rapidly how we can get the investment and change our approach to a much larger scale, which we’re going to have to work with the supply chain to achieve”. Suppliers have access to skills that probably aren’t available in the NHS, Neill shared, “and understanding what we have, where the gaps are, and who the people or organisations are who can fill those gaps, is a critical area we need to focus on in the next couple of years.”
Martin agreed that there’s a need to focus on the education piece for users in the immediate future. “I really like the idea of pointing it back to cyber from a personal standpoint,” he said, “and I see that doing 2FA for my son, who’s five and just starting to use technology. If I can ingrain that into him from such a young age, it’s just going to bring the next generation into it, and helping people bring that back to their personal lives can help them understand that need better.”
Making education “simple yet relatable” for users is key, Martin went on, “and I think that would change the cyber landscape we have”. Starting with the person, then moving on to look at the processes and products, will really help organisations strengthen their cyber posture, he concluded.
Noting the upcoming Cyber Security and Resilience bill, Neill said: “I’m looking for that to make sure the regulators have got the right opportunity to be a bit more robust in laying out the legislation and how people need to behave, even going as far as the penalties that need to be in place. We’re seeing too many supply chain attacks now, where people haven’t necessarily put in the rigour we’d expect, so I’m hoping that will change the landscape and help our partners work better with us in future.”
How can the CCIO and clinical informatics team better support the cyber security function?
Responding to an audience question about how the CCIO and informatics team can better support the cyber security function, Nasser outlined that from a cyber perspective he would benefit from more interaction with those different roles across the organisation, saying that as cyber security manager he “doesn’t often get the opportunity for that interaction”, unless something has happened that means their involvement is required. “Having that openness for your staff to approach you and ask questions would be a massive benefit,” he said. That interaction would open up the dialogue to begin to discuss different risks, he added, “and I’d probably come to you and pick your brain, after that, about your day-to-day role and what the risks look like.”
“I work with the CIO, CCIO and the safety officer a lot,” said Neill, “and one of the key areas there is around the safety aspect – they’ve got a great understanding of risk and harms, by the very nature of their roles, so I think they’ve got a fantastic amount of insight to provide for cyber.” An example of that might be with medical devices, he shared, “and making sure we understand the risks around that vulnerability to hacking, or what might happen if they are compromised and what the risks are there.”
Informatics is “an interesting one”, Neill considered, “and reporting could be one element of it”. At Dudley, his team have created a cyber dashboard, he told us, “which is using the Power BI functionality from the informatics team and making insight accessible, using their skills in order to display that information for everyone.”
We’d like to thank our panellists for taking the time to share these insights with us.
