NHS to use text messages for breach alerts & will spend £20m on ethical hackers

NHS Digital's new SMS channel using GOV.UK Notify will help it notify all doctors and staff about high severity cyber incidents and potential attacks at all times.

NHS Digital will also spend £20 million on hiring additional cyber defence experts who will monitor existing vulnerabilities and security threats.

These two initiatives will form a major part of NHS Digital's initiatives to strengthen the organisation's cyber defences and to prepare for potential cyber incidents like ransomware injections or DDoS attacks.

While launching the new SMS channel, Toby Griffiths, Innovation & Development Lead at the Data Security Centre, said that it 'offers an additional level of resilience beyond the standard channels used for sharing CareCERT updates'.

YOU MAY ALSO LIKE:

'We want to take that a step further by building a professional network across the NHS through online collaboration. The NCSC forum allows us to share information securely that we might not otherwise be able to share,' he added. Contacts in Acute, Ambulance and Mental Health Trusts, Clinical Commissioning Groups and Commissioning Support Units will receive regular SMS alerts as part of the new project.

The alerts will not only inform staff about high severity security incidents, but will also provide them links to NHS Digital's external website for additional information on each incident. The new feature will also allow NHS to interact with staff quickly without having to reply on NHS Mail or other applications.

'CareCERT is the official source of advice, guidance and national incident response for data security in health and care. Strengthening our communications in this way will ensure that key contacts are receiving critical updates during major incidents, especially when they might not have access to their email or work computer,' Griffiths added.

'Using SMS to alert key staff to cyber breaches is interesting. No doubt the NHS will have thought carefully about the effects that such messages will have on recipients,' says Jeremy Swinfen-Green, Head of Consulting at TEISS.

'Presumably they will have been told how to react in terms of communications; for instance "if you get an alert don't talk to your friends and family about it; and only talk to the media if you are authorised to do so". And they will have been told what to do if they receive an alert and are unable to go online for further information,' he adds.

In order to strengthen the security of all systems belonging to NHS Trusts and hospitals, some of which still run on legacy operating systems, NHS Digital has also decided to spend an additional £20 million to create a security operations centre composed of experienced IT consultants.

'The partnership will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities.

'It will also allow us to improve our capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating known threats,' said NHS Digital.

Thanks to this initiative, ethical hackers will be asked to test the NHS' systems for vulnerabilities to help the organisation guard it's systems from potential cyber-attacks like WannaCry. NHS Digital will also allow them to test cyber defences at NHS hospitals if they wish to do so.

'Spending money on external penetration testers and hackers seems like a good idea. There is always a danger that internal reviews will fail to spot things. "Marking your own homework" is subject to conscious and unconscious bias and using external testers is very likely to throw up potential vulnerabilities that wouldn't have been raised through internal review,' says Swinfen-Green.

Back in November, the NHS entered into a Custom Support Agreement with Microsoft thanks to which Microsoft agreed to offer customised security to all PCs running older versions of Windows operating systems at NHS hospitals, clinics, and trusts.

As part of the agreement, Microsoft also ageed to support the migration of all legacy systems, including those running Windows 7, to Windows 10 in the near future. Microsoft is set to withdraw general support for Windows 7 devices from 2020.

'The goal is to strengthen the security of existing Microsoft enterprise operating system estates and promises to equip organisations with the means to resist cyber threats into the long term,' said the NHS.