Comment / Getting the basics right for cyber defence

It's now five years since the NHS was hit by the WannaCry cyber attack in May 2017. Despite this being a relatively unsophisticated attack, and not specifically aimed at the NHS, it had potentially serious implications for the ability to provide care to patients. So what is the situation now and what do healthcare bodies need to do to respond?

In its latest annual report, the National Cyber Security Centre (NCSC) describes ransomware as the most immediate cyber security threat we are facing. More recently we have seen new variants of ransomware using the ‘double extortion model’. With this approach, attackers combine disabling the victim’s systems with stealing data and threatening to make it public if the ransom is not paid. This puts additional pressure on the victim to pay up, as even if they are able to restore the system from a backup, data breaches expose them to potential regulatory penalties.

Unfortunately, the other threats on that list haven’t gone away. The March 2021 Microsoft Exchange servers incident, in which a sophisticated attacker used zero-day vulnerabilities to compromise at least 30,000 separate organisations, highlighted the dangers posed by supply chain attacks. There are plenty of examples in the news of other incidents, both malicious and accidental, which have put data, operations and organisational resilience at risk in both private and public sectors.

And following Russia’s invasion of Ukraine earlier this year, the NCSC has warned of a heightened threat from Russian-aligned cyber-criminals. Some of these groups have recently pledged support for the Russian state and have threatened to conduct malicious operations in retaliation against countries providing support to Ukraine.

The government recently published its new cyber security strategy, specifically aimed at building a cyber-resilient public sector. Resilience is key in underpinning its vision to make the UK a cyber power in a world increasingly shaped by technologies that offer many benefits but also pose risks.

The strategy reiterates that government remains an attractive target for a broad range of malicious actors with 40% of incidents in 2020/21 affecting the public sector. And with the greater use of telemedicine and other digital care services as a result of the Covid-19 pandemic, the potential for disruption in the healthcare sector is also increasing.

The main benefits highlighted in the strategy are the need to protect key assets and the uninterrupted continuation of vital services. The strategy also aims to enable the development of skills and capability in cyber awareness and risk management. These themes will be echoed in the forthcoming cyber security strategy for health and social care.

These strategies are welcome given the increasing threat environment the UK is facing. To succeed, they will need to overcome a range of challenges that we have come across in our work on digital and cyber security. Two of the key ones are:

• the public sector will need to overcome known legacy and data issues in a situation where IT assets are not always catalogued or risk assessed; and where data quality varies with expanding and interconnecting supplier systems that increase the likelihood of vulnerabilities.
• cyber risk management with effective escalation and mitigation will need to be established – while also aligning disparate central and arms-length bodies across public services to focus on the right things, in the right way at the right time.

But one thing that most experts agree on is that our best defence is getting the basics right. Many of the attacks that we have seen recently could have been avoided if individuals and organisations had followed recognised good practice. This includes actions such as implementing formal information security regimes, avoiding unsupported software, and adopting good password practices.

To help with this, the National Audit Office has produced Cyber and information security: good practice guide, which addresses these and a number of other challenges. This does not seek to replace specific guidance from the NCSC, NHS Digital and other authorities, but enables those in charge of governance to ask the right questions of their organisations to help them understand and question the management of cyber security and information risk.