In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like.
As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
Basic principles when approaching cyber security
Starting with the key principles that make up a good cyber security strategy, Nasser highlighted the need to first “develop a skillset internally for cyber”, noting that it’s also a good idea to know what skills the members of your team already have so that you can better understand their capabilities going forward. “From there you can get a really good idea of what you can actually achieve in a short amount of time and get your organisation to at least an acceptable level when it comes to security. Whether that’s being compliant with DSPT, CAF or whatever else it might be,” he explained.
From a technical point of view, Nasser noted how “sometimes we’re overcomplicating cyber security and that doesn’t do anyone any favours”. To counteract this, he suggested that organisations should always “start with the simple things” such as MFA (multi-factor authentication) and good password management, as this will allow you to “focus on basic controls first before you try anything else”.
Picking up on Nasser’s point about developing skillsets, Keltie added: “There’s a big benefit for organisations working with a security specialist who can provide a lot of support beyond assessments and security improvements. This can include training up new security specialists as one of your first steps in your cyber security approach.”
Echoing this sentiment around getting the basics right, Ryan added: “Starting with the foundations is key and that will mean something different for different organisations, but if you don’t know what you have, it’s very difficult to know what you need to protect. Otherwise, you don’t know what you’re defending against.”
Speaking on what this looks like at Stripe OLT, he explained how his team provide end-to-end support for multiple NHS trusts, alongside providing visibility, which includes using Microsoft Associated Defender products and conditional access policies to allow people access based on “certain conditions”. Ryan outlined how this helps to ensure access is coming from a trusted device, allowing organisations to “better understand your four walls and what needs to be kept out and kept in, giving you full transparency and visibility”, which he notes is a key basic principle for any cyber security strategy.
New and evolving cyber threats
Our panel moved on to discuss the current cyber security landscape and how threats have evolved over the years. “In the NHS we’re used to hearing that ransomware is the number one threat,” Nasser said. “It affects everything and has a direct impact on the availability of services, and we want our services to be running at all times to cater for patients. Although the focus on ransomware is very important and needs to stay, we shouldn’t overlook some of the other threats out there.”
Nasser gave some examples of these other threats, starting with social engineering and phishing, which he said has seen a “big rise” in recent years, noting: “That was apparently used to launch cyber attacks like the recent retail incidents we’ve seen on the news. They started with simple social engineering, which isn’t expensive to perform and doesn’t always require as much technical effort as other attacks.” He also mentioned phishing as a “generally underestimated” cyber threat, stating that “a lot of staff members are susceptible to it if they aren’t trained properly and that’s not just in the workplace; it goes into their personal life as well”.
In comparison, ransomware is “usually seen in the enterprise environment, but social engineering and phishing go beyond that”, which is what makes them big threats to any industry, especially healthcare”, according to Nasser. “NHS staff are communicating with patients and members of the public all the time, whether it’s taking phone calls or sending emails that are so susceptible to social engineering/phishing, so we really need to put the focus on preventing those simple attacks first,” he said.
Understanding and assessing cyber security maturity in healthcare
Next, we moved on to looking at how organisations can assess their own cyber security maturity, with Keltie highlighting the importance annual risk assessments. “You want your security partner to rate you on a number of different things,” she said. “One great option is using the honeycomb system, with each segment of the honeycomb being red, yellow or green. You can use your first one to build your baseline to build your cyber security program over multiple years.”
Keltie shared how this can help identify the “low-hanging fruit to focus on” while also recognising “long-term needs and priorities”, which ultimately helps to build a business case, allowing cyber teams to get the appropriate funding. “I think that’s where you need to start”, she said, adding that such a system is helpful way to explain cyber security to “people who aren’t cyber security experts”.
Speaking on regulation and how cyber security is assessed within the UK, Ryan highlighted the “various standards in the UK, such as CAF, DSPT, Cyber Essentials and Cyber Essentials Plus, as well as various different schemas such as NIST and CIS Benchmark”. When looking at the public sector in particular, he focused on the importance of assessing resiliency and preparedness, noting: “If you look at the National Cyber Security Centre and some of the work we do to guide organisations into a preparedness mindset, it’s more about the when not the if, because if you don’t prepare for the when, then you’re going to be caught unawares.”
Ryan then explained how the ISO 27001 and ISO 9001 certifications are a key part of cyber security compliance, while also highlighting the benefits of having “adversarial simulations, which is where a team of offensive security specialists take a look at different sector-specific TTPs and attack techniques and find out what might be coming after healthcare”. This then helps with assessing what the organisation can achieve, allowing them to work with the defensive team or cyber security team on “better preparedness, better visibility and better detection methodologies, which then leads directly into training and awareness”.
Nasser added that one of the key aspects of cyber security and cyber maturity is understanding where you can improve, stating that “having that open mind to allow someone like Ryan to come in and tell you how to improve is a key step in maturity, as you need to let someone independently review what you’ve done to get a different perspective”.
Sharing cyber security wins across the NHS
With this idea of improvement in mind, the panel discussed the importance of sharing tried and trusted methods throughout healthcare, with Ryan beginning by giving some advice: “One of the things I think everybody should do is sign up for the NCSC early-warning system if you’re not already. It’s effectively free threat intelligence, which sends an e-mail if your identity, IP address or domain is associated with any compromised breach, while also giving advice and assistance to support that.”
He went on to explain one of the key ways the NHS supports the sharing of knowledge in the cyber security sector, adding: “NHS England also has one of the largest Microsoft Defender environments in the world, so being able to support and integrate within that is quite beneficial when it comes to sharing knowledge and learning from potential mistakes.”
Sharing his own unique experience with this topic, Nasser spoke about what it was like when he started working in cyber five years ago: “We were very much working in a silo where each organisation did their own thing. At a senior level there was collaboration, but from a day-to-day point of view as an analyst, there was very little collaboration.” Because of this lack of collaboration, Nasser highlighted how easy it was to “feel alone with all these different pressures”, but noted that “everyone goes through very similar challenges in the cyber industry and that NHS England has done an amazing job at bringing the NHS cyber community together via the Cyber Associates Network”.
As a member of this network, Nasser explained how beneficial it has been for sharing information: “You can share best practices, you can share what you’ve done, whether it’s the little things or the huge implementations you’ve made. It’s a safe place to share that information because everyone’s in the same NHS cyber family.” Going into further detail, he emphasised that there’s nothing wrong with sharing ideas or asking for help. “That’s how cyber operates – you have to work as a team. This collaboration and community will live on no matter what.
Delving deeper into the collaboration side of things, Ryan outlined that “it’s also very important to collaborate when you’ve overcome a situation as well”. Giving an example of this in action, he explained: “We identified a problem, found some specific information and shared that with NHS England, which enabled them to stop a potential, similar use case happening in 11 other trusts. So, sharing in that trusted community can also help other people from having a bad day, which can go a long way.”
Increasing staff awareness and training
Keltie explored some of the key challenges she’s found within her organisation, stating how “the biggest challenges are people and funding”. Elaborating on this, she explained that “trying to convince people that this is something that needs ongoing investment can be difficult”, but that “the publicity around some of the cyber attacks has been helpful because there’s definitely a level of fear at executive level and board level which helps when I do need to get funding”.
In order to get around some of these challenges, especially when it comes to getting staff on board, Keltie spoke about the monthly training videos her organisation sends out to staff and how important it is to find that “sweet spot” that will keep them interested. “It can’t be too long and it can’t be too boring if you want to get staff on board with it,” she said, “and some people have even mentioned how the videos have helped in their personal life.”
For Nasser, one of the key ways to increase staff awareness when it comes to cyber security is by “showing that there’s a face” behind it. “We need to put ourselves out there a little bit,” he said, “and just remind people we’re there.” He also highlighted the importance of discussing other areas of cyber outside of the workplace in order to make it easier for staff to understand and implement safe practices. “I’ve talked about mobile security, online gaming risks, securing your home WiFi and it has nothing to do with work officially, but you’re getting across the cyber mindset and key behaviours so that the staff members can bring them into the workplace.”
As an example of this, Nasser shared something from his own experience: “I was teaching some of our staff members how to add parental controls for their children when online gaming. Now this had nothing to do with the NHS, but the mindset behind protecting your children is the same privacy preserving mindset we’re trying to get across in healthcare.” He noted the importance of teaching staff “not to share certain information about the organisation and understand the risks involved.”
Nasser also highlighted the need to focus on cyber wellbeing amongst staff members, stating that “anyone who’s been on the wrong end of a scam knows the toll it can take mentally”, which is why it’s important to “teach people to look after themselves” when it comes to cyber risks. However, Nasser also noted how “trying to change the culture takes time and it’s not easy”, but one of the key things he has done in his organisations is set up a staff network granting access to resources where they can learn and find practical tips in addition to optional and mandatory training.
What the cyber industry needs now
The panel then discussed what the industry needs to move forward. Ryan took the lead on this one, stating: “I think everyone’s got the silver bullet after a compromise or an attack happens, yet 95 percent of those people don’t know what happened or how it happened.” He noted how there’s usually “more information behind the scenes, which is why preparation is key”, and for Ryan, that comes in the form of tabletop exercises, disaster recovery planning and simulated attacks.
“When it comes to regulation, the National Cyber Security Centre (NCSC) in the UK is working quite heavily on pushing people to develop software better,” Ryan said, sharing what is going on currently in the industry. “There’s a bill at the moment that’s trying to be pushed forward, which aims to ban ransom payments by critical national infrastructure in the UK,” he added, “because if the government aren’t going to pay, why would people attack UK government?”
For Keltie, education is key in terms of what the industry needs right now. “I think everyone knows about cyber security, but I don’t think the level of understanding of what it is and what cyber security professionals do in the industry or how important they are is really there yet,” she said. One of the key reasons for this, according to Keltie, is because “those roles weren’t around five or six years ago, so from a maturity level, the industry isn’t necessarily there”.
Final thoughts on the future of cyber security in healthcare
Looking ahead towards the next couple of years, Nasser shared what he thinks the focus should be for the future of cyber in the NHS and healthcare. “We’re still learning within the healthcare space what specific cyber roles we need compared with what the industry in general has across the board,” he explained. “I think in one to two years the NHS needs to be clearer on what we need in terms of roles from a day-to-day perspective, because we are using very traditional roles within cyber and I think the way the cyber industry is, there’s so much more potential to be a bit more creative.”
He also emphasised the importance of cyber skills, adding how “we need to be in a position where the NHS has that strong cyber skillset, no matter what the role is, whether technical or non-technical – the end goal is the same for all of us – we’re trying to protect the organisation as best we can and we can all play a part.”
Ryan believes one of the key changes we can expect to see in the next couple of years is “trusts being able to stand on their own two feet and understanding what cyber security actually means for them”. While Keltie would like to see a focus on the maturing of the industry, suggesting that, “getting the baselines down, getting the risk assessments done, and starting to have a formal plan in place for cyber security” are all key features in moving forward.
We’d like to thank our panel for joining us for this discussion and sharing their keen insights into this topic.
