Supporting NHS Cybersecurity During COVID-19 is Vital
The current crisis is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.
Nurse uses a wireless electronic tablet to order medicines from the pharmacy at The Queen Elizabeth Hospital, Birmingham, England. Photo by Christopher Furlong/Getty Images.
The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.
In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.
In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.
Health services ill-prepared
Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.
When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.
But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.
Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.
And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.
Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.
The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.
The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.
Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.
Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.
The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.
CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.
They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.
The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.
It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.
It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.
Latest News from
Presidential Tactics Pose Grave Threat to America's Democracy02/06/2020 14:15:00
The brutal killing of George Floyd in one of America’s most progressive cities has catapulted race politics to the top of the national agenda.
Does Restricting Travel During a Pandemic Work?21/05/2020 12:20:00
The World Health Organization (WHO) has consistently advised against restricting travel and trade during outbreaks. But most countries have still imposed restrictions to prevent the import of COVID-19. WHO needs to rethink its approach.
Democracy Delayed: COVID-19’s Effect on Latin America’s Politics20/05/2020 17:11:00
Democracy is often depicted as a means to peacefully resolve political conflict and socioeconomic discontent. But what happens when that essential safety valve of elections has been closed off?
Accelerating Innovation in Food Systems Needs Transparency and Dialogue20/05/2020 16:33:00
Innovation requires a high failure rate so, while many new technologies may fail, investment in development, testing and social acceptability is crucial to the future of our food systems.
COVID-19 Will Reshape Our Relationship with the State13/05/2020 16:33:00
Although it is not yet known how coronavirus impacts on politics, it will almost certainly fundamentally reshape the relationship between citizen and state.
In the COVID-19 Era, Healthcare Should be Universal and Free13/05/2020 13:38:00
Coronavirus is the ultimate example of why we need universal health coverage because, if anyone is left out, it threatens the health security of everyone.
Coronavirus: Nigeria’s ‘Fiscal Flu’13/05/2020 12:48:00
Beyond the immediate concerns of containing the spread of COVID-19, Nigeria’s greatest challenge – a fiscal crisis of historic proportions – is beginning to unfold.
Coronavirus Vaccine: Available For All, or When it's Your Turn?05/05/2020 15:10:00
Despite high-level commitments and pledges to cooperate to ensure equitable global access to a coronavirus vaccine, prospects for fair distribution are uncertain.
Can Protest Movements in the MENA Region Turn COVID-19 Into an Opportunity for Change?30/04/2020 15:10:00
The COVID-19 pandemic will not in itself result in political change in the MENA region, that depends on the ability of both governments and protest movements to capitalize on this moment. After all, crises do not change the world – people do.