Earlier this week it was reported that the NHS's IT governing body is refusing to invest in cybersecurity protection as it is not considered good value for money, despite the WannaCry attack.
NHS Digital is set to ignore the IT security recommendations of its own CIO, Will Smart, quoting the estimated cost of between £800 million and £1 billion. The National Cyber Security Centre (NCSC) also endorsed Smart’s recommendations.
We asked cyber security professionals for their thoughts on the matter. Is this a disastrous mistake on the part of NHS Digital? Or is this a wise decision, freeing up the funds to invest elsewhere?
Also of interest: Security by design: what you need to know
How did we get here?
Mark Johnson, Founder and CEO of the Risk Management Group (TRMG) says the NHS has dug a hole for themselves for not following fundamental security guidelines laid out by NIST and several organisations over the decades. “Now they have the problem as the UK’s largest employer as it will be very expensive to repair,” he says.
Joseph Carson, Chief Security Scientist at Thycotic states: “This is a major lesson to why organisations and government departments will continue to fall victim to cybercrime by not listening to expert advice on how to prevent it and reduce the risk from cyber attacks. I believe the situation between the NHS and its own CIO is they haven’t approached the cybersecurity recommendations in a risk-based approach that leads with the assumption that the recommendation is a complete overhaul, versus a strategic planned approach that focuses on business critical systems and functions first.”
Also of interest: How to get the best value from cyber security conferences
But is it really worth the money?
Thom Langford, CISO at Publicis Group seems to think not. “This is a great example of the expectations of “perfect security” versus the day to day operational realities of managing a large estate with a limited budget. We can’t see all the details, but it is very likely that NHS Digital knows the state of it’s budgets and the remediation efforts it has taken better than we do. Therefore their response is completely valid. That is not to say Mr Smart was incorrect in his findings, but rather he is looking at the problem through a wholly security lens.”
Thom Langford adds: “How many more beds, nurses or services could be purchased with that proposed £1billion price tag? Of course NHS Digital has a responsibility to invest in improving it’s digital defences in light of the sustained cyber attacks, but do they really need to spend that much? Only time will tell, but for now, this response doesn’t surprise me.”
Mark Johnson says that he appreciates the huge cost to the taxpayer, but as the NHS is part of the Critical National Infrastructure - if they fail to assure business continuity - people may die. They also hold very sensitive data of high profile people, so they bear a great responsibility which they should not be allowed to avoid. He stresses: "This is not an all or nothing situation and there has to be some middle ground."
Also of interest: Editor's blog - Diversity and the skills shortage
The NHS conundrum - what should be done?
Hadi Hosn, Director of Cyber Security Solutions EMEA, SecureWorks, says that if no remediation is applied in the provider’s infrastructure, the NHS organisation as a whole will be prone to an attack and a penetration of their network defences. "It goes back to the saying ‘you are only as strong as your weakest link’ and this is completely relevant with interconnected organisations into a central infrastructure to provide joined up services and a consolidated view of patients," he states.
Hadi Hosn proposes a resolution to be taken in phases with support from the most high risk providers, third party partners and those connecting into the network and infrastructure.
“Typically with large, complex and interconnected organisations, the central cyber security team prioritises areas of the business that will act as the primary focus for security controls, and specific types of security capabilities to build. This would also include a prioritisation of the providers, partners and connections that are most risky and could expose the most sensitive information. Carrying out risk assessments like this across the business will help define a phased approach to reducing risk and improving the overall security maturity of the organisation,” he advises.