By Andrew Watson, Network and Security Systems Engineer, VMware
In May 2017, the Wannacry outbreak caused significant disruption around the world. The UK National Health Service (NHS) was notably affected, with the result being cancelled patient treatments and long delays. Across the world, the attack also caused critical outages and generated plenty of global news coverage.
This blog takes a look at what has changed during the last 12 months, and what still needs to be done to ensure the risk of such a scenario happening again is minimised.
The good
There are many positives to consider. The response from NHS staff should be highlighted as being exemplary. The work that went into preventing the loss of service to patients and recovering from impacted sites should not be forgotten. The excellent working relationship NHS IT staff have with industry vendors and partners should also be noted.
Another worthwhile outcome is that cyber security now has a stronger focus at an executive board level in local trusts. The evaluation of services and undertaking of risk reviews can only be a step in the right direction as local trust managers realise the important issues on the risk registers.
Finally, the threat of incidents is now very much in the public mind. Non-IT staff in the NHS are also much more conscious of attacks. Awareness campaigns and training are being delivered to a receptive staff audience as threats are now taken a lot more seriously.
The bad
Policy, policy, policy. Much has been written in the press about the central decisions being made to prevent a repeat of Wannacry. However, most of these recommendations are not mandated and are based around behaviour and process. There is a danger that relying on simply following a policy could become a tick-box exercise to comply with audits, rather than ensuring strategic security decisions are being made to adapt to new threats.
Patch management is an overriding theme for the recommendations. This is not always easy to achieve with multiple disparate systems operating in an ‘always available’ environment. The element of risk in patching a multi-million pound MRI scanning service that could provide lifesaving diagnosis in the clinical pathway should not be underestimated.
Public perception from Wannacry was that all of the NHS used outdated systems and relied on Windows XP. This was an untrue blanket statement that overshadowed some of the fundamental issues at play. The view also didn’t do justice to the few trusts that still have an XP presence for legitimate reasons.
Legacy security controls, such as increasing perimeter security and patch management, are the main focus of technical recommendations. Yet there’s little advice on how new technology and techniques can help prevent the spread of threats once they’re inside an organisation (e.g. micro-segmentation). A forward-thinking approach to securing patient data will enable the NHS to assure the public that they can be trusted with their critical information.
The future
There have been a number of reviews and recommendations over the last year. The main area of concern is that local trusts should be identifying better methods of stopping threats in the first place – essentially creating a zero-trust network. The NHS will continue to be the target of threats (be it malicious or accidental) in years to come. Ensuring breaches are contained will limit the impact to the public.
It is imperative that the general public has the confidence in the NHS’s ability to secure their data, particularly with new schemes such as the data opt-out programme. As the public demand more control and visibility over their own medical records, the NHS must prove they are taking appropriate steps to secure their patients’ personal data. Only then can they continue to conduct lifesaving medical research and improve interoperability of patient services.
What can VMware do to help?
With more interconnected services than ever before, along with a need to provide citizens access to records, provide better collaboration between trusts, make available more connected medical devices, and an aspiration to be paperless at the point of care – how can healthcare bodies keep up with the pace of change?
Applications change too quickly for security to be a bolted-on afterthought. By architecting security controls directly into the network and adding a virtualization layer on top of where applications live, apps and data are secured automatically, even as they change and grow over time. VMware gives security teams the ability to define network security policy on a granular level and respond with precision to detected threats on data centre endpoints. This ensures the deepest level of security possible while simultaneously limiting interference with end users and patients.
VMware NSX embeds security functions right into the core of the data centre out to the rest of the network, including end user computers and medical devices. It delivers granular security to individual systems and services, enabling a fundamentally more secure environment.
Security policies travel with the workloads, independent of where they are in the network. NSX enables micro-segmentation and granular security of workloads in virtualized networks, isolating sensitive systems and reducing both risk and scope of compliance. Applications and data can reside and be accessed anywhere, moving workloads from one data centre to another by deploying them into a hybrid cloud environment (all with inherent security at the core of the service).
If you’re interested in understanding how VMware Networking and Security technologies can secure your medical records, create a secure clinical desktop, protect legacy workloads and vulnerable medical devices, simply contact us to learn more.