Davey Winder: Is NHS cyber security crabbing sideways rather than sprinting for the finish line?
- 3 October 2019
NHS Digital recently signed a new security contract with Accenture that will provide free “leading-edge perimeter security features” to hospital trusts. Working alongside the National Cyber Security Centre (NCSC) and NHSX, NHS Digital procured the contract in order to enable NHS organisations to better secure and manage the digital networks that they use.
The deal includes free access to such products and services as a next-generation firewall, web content filtering, network intrusion detection and prevention and secure DNS. At the time, Rob Shaw, deputy chief executive of NHS Digital, said: “this is cutting-edge technology that will help keep patient information and NHS systems safe, at no cost to local organisations.”
There’s no doubt that a data-driven healthcare provider, and make no mistake that’s what the NHS is, needs the right tools for the cyber security job.
That these tools can be provided at no cost to the hospital, clinic or GP, is great. Indeed, anything that helps push the NCSC Active Cyber Defence (ACD) programme, and so reduce the phishing and malware threat at the healthcare coalface if you’ll excuse the mixed metaphor, is OK by me. But is a perimeter security solution really the way forward when, for the longest time, the info-security industry has been warning that the secure perimeter concept is dead as far as strategic posturing is concerned?
Of course, this “Perimeter R.I.P” message has been shouted loudly for at least a decade now, yet perimeter defence solutions continue to prosper despite the blurring of network boundaries almost to vanishing point. The argument that trusting everything inside the network, and not trusting that which is external, is a dead duck. After all, there are now way too many endpoints (IoT devices and ‘shadow’ cloud apps sound familiar?) to be able to determine the real intention of network traffic flow in and out?
The zero-trust issue
“The NHS Secure Boundary will enable NHS organisations to better detect, analyse and prevent cyber security threats while allowing national and local organisations to respond at pace to emerging incidents and risks,” Dan Pearce, interim chief information security officer at NHS Digital, says.
“It will be available to NHS organisations that want to adopt the service, along with a support package to help them to complete the requirements necessary to move from their existing arrangements to the NHS Secure Boundary.”
So, what about the idea of zero-trust?
“While zero-trust is a robust and proven security architecture that could significantly assist the NHS to realise its strategic objectives,” Pearce says.
“Achieving this in a sustainable manner will take time. The NHS Secure Boundary provides a significant advancement in this journey for the NHS.”
Dr Saif Abed, founding partner & director of cyber security advisory services at AbedGraham, agrees that “ultimately, a zero-trust approach should be the aspiration.”
However, Dr Abed says that all NHS cyber security investments are to be applauded and we must “acknowledge that we have made significant progress since 2017.”
This is undoubtedly true, but is the significant progress necessarily moving in the right direction? Does a perimeter security investment constitute more of a sideways crab than a sprint towards the cyber security finish line?
“Perimeters will inevitably be breached and the last thing anyone wants is to give free reign to attackers to move around a network, or even between networks, locking down or tampering with critical clinical systems and infrastructure,” Dr Abed admits.
Given that tremendous rise in IoT devices, digital assets and integration between healthcare organisations, Dr Abed argues that we have to implement measures that are scrutinising behaviour both outside and within the perimeter at all times.
Key to all of this is, then, an understanding of who has access to what, where, when and why without impeding the clinical work flow.
“A perimeter security solution isn’t the answer by itself,” Dr Abed says, “but an appropriate deployment for each trust should start to answer some of those questions and lay the foundation for further investments that build towards zero-trust in a way that works for healthcare.”
This is the critical point as far as Dr Abed is concerned: don’t view any single procurement as being a silver security bullet, but rather as just one part of the defensive puzzle.
Living in the past?
Not everyone I spoke to was so convinced.
Take Ian Thornton-Trump, head of cyber security at AMTrust International. While not currently working in the healthcare sector himself, Thornton-Trump is a veteran of the info security business with a lot of hard-earned experience, including healthcare security, and a tendency to shoot from the hip.
“Perimeter security is so 2015,” he told me, adding: “I’m not sure if NHS Digital received the memo, but it’s time to go with a cloud and security-as-a-service (SaaS) first strategy like the rest of the world.”
I pressed Thornton-Trump on this and he admits that such a strategy would be “complicated, difficult and fraught with problems,” but insisted: “There are plenty of non-patient facing systems that would be perfect candidates for public cloud or a SaaS replacement including all the latest and greatest security controls.”
As someone who has been covering cyber security industry trends since before there was an cyber security industry, or at least before it was called that, I’d have to concede that Thornton-Trump has a point.
His argument is that there is no perimeter; medical professionals are using personal devices and corporate devices from inside and outside locations, and doing so constantly. “In a former life I spent five years as a Healthcare Enterprise Security Architect,” Thornton-Trump explains.
“The first thing you need to do is to make an investment into segmentation and isolation of patient facing systems. Robust identity and access management with 2FA (two-factor authentication) protections on any patient facing services, comes next, along with mandatory encryption for data in transit and at rest.”
What do you think? Is NHS Digital right in moving slowly towards a zero-trust future, embracing perimeter solutions in the meantime? Is Thornton-Trump, on the other hand, wrong when he warns that we are but “one more WannaCry away from the whole healthcare IT system falling over” if such a thing was deliberately targeted at the NHS by a hostile actor?
Nobody ever said securing NHS data was going to be easy, but it sure is urgent and essential that we get this right…