Is the NHS cybersecurity strategy to 2030 enough to protect healthcare?
With the rise in cyberattacks on the healthcare sector, boosting cyber resilience has become critical.
The UK government recently introduced the Cyber Security Strategy to 2030 for health and social care to protect the functions and services citizens depend upon. The policy outlines five pillars to achieve cyber resilience by 2030, which include focusing on more significant risks and harm, defending against threats as a single team, including all people and cultures, building a secure system for the future, and aiming for exemplary response and recovery times.
But while the strategy is a huge leap in the right direction, the current strategy outline lacks the detail and urgency seen in other national directives. And with attacks on the sector rising, quick action is needed to ensure healthcare providers can maintain services even while under attack, without the need to shut down services or move patients.
Attacks on the healthcare industry
The new policy is a positive step towards a cohesive strategy for securing the NHS. Hospitals and other healthcare providers are at the mercy of growing cyber threats. Last year, the healthcare industry suffered an average of 1,410 cyberattacks weekly per organization. That is 86 percent more attacks than they faced in 2021.
The healthcare industry globally has dealt with some of the most impactful attacks. Earlier this year, a hospital in Barcelona experienced a ransomware attack which shut down computers at the institution’s emergency room, laboratories, and pharmacies at three main centers, along with several external clinics. The hospital also had to cancel 150 non-urgent operations and check-ups of 3,000 patients.
A similar attack could easily happen here in the UK. Healthcare is a prime target for cyberattacks because an attack can put the welfare -- and even lives -- of patients in jeopardy. In particular, the new government strategy acknowledges ransomware and supply chain attacks as the two biggest threats to the healthcare industry today.
How can the government improve its cybersecurity policy?
The UK government is expected to announce a more detailed implementation plan for the cybersecurity strategy in a couple of months. This plan is likely to include proactive measures and guidance on the technology and tools to implement to reduce risk. However, medical technology is changing and advancing rapidly, and will likely be very different by 2030, so it’s imperative the policy focuses on technology for the next decade of threats, not the past decade. This includes moving away from prevention security approaches like building firewalls and network access controls and focusing on detection and containment approaches like microsegmentation and EDR.
Interestingly, the new strategy also omits measures related to the Internet of Medical Things (IoMT), the fastest-growing risk in cyber healthcare. This may be because securing connected devices is a given, however, I would hope to see more detail on how to strengthen security in this area, particularly as IT and Operational Technology (OT) devices continue to converge.
It also fails to reference Zero Trust -- a cybersecurity strategy based on the mantra of "never trust, always verify," and arguably one of the best security models for improving cyber resilience. It’s an approach we have seen mandated in other national strategies, such as Joe Biden’s strategy is the U.S.
Improving resilience now
While having a long-term security policy in place is essential, online attacks like ransomware require an immediate solution. We are seeing more and more cyberattacks impact patient care, so urgent steps need to be taken to reduce risk and minimize impact. In many cases, the patients are directed to another medical facility, such as a recent attack on a hospital in France, which marked the second case of this kind in the country last year.
Ransomware demands vary from $900 to $20 million; however, in some cases, the hackers demanded $1.2 billion in ransom -- that’s an extortionate of money our NHS simply cannot afford. With the stakes high, more immediate steps need to be taken to shift the focus from preventing attacks to surviving them. For healthcare providers, this means starting with their biggest risks and prioritizing defenses accordingly.
With limited budget to play with, healthcare providers must prioritize investing in technology that can deliver an immediate reduction of risk while also supporting broader digital transformation. One example is Zero Trust Segmentation (ZTS) which divides departments, medical systems, applications, and data centers into distinct segments. This way, when attackers breach the perimeter and gain access to a specific system, they are contained within that particular network segment.
ZTS is critical for limiting the impact of attacks because it applies the least privilege access controls to how applications and medical devices communicate. Organizations that have implemented ZTS have also been shown to save on average $20.1 million in application downtime annually.
A step in the right direction
The new government policy is a much-appreciated step toward a secure future. However, it’s important that we don’t neglect the short-term opportunities to reduce risk and build resilience through breach containment, by focusing solely on long-term resilience goals.
All eyes will be on the detailed policy implementation set to be released in the summer, however, I hope to see inclusion of a more staggered timeline and plan for implementation improvements, similar to what we saw in last year’s TSA directive in the US.
Image Credit: everything possible / Shutterstock
Trevor Dearing is Director of Critical Infrastructure Solutions at Illumio. Trevor has been at the forefront of new technologies for nearly 40 years. From the first PCs through the development of multi-protocol to SNA gateways, initiating the deployment of resilient token ring in DC networks and some of the earliest use of firewalls. Working for companies like Bay Networks, Juniper and Palo Alto Networks he has led the evangelisation of new technology. Now at Illumio he is working on the simplification of segmentation in Zero Trust and highly regulated environments.”