NHS Digital has announced £20 million to create its own Security Operations Centre (SOC). The SOC is charged with keeping the NHS safe from cyber-attack. In addition to monitoring national health services across the UK it will also offer cybersecurity advice and guidance to local NHS organisations.
This is the second announcement from NHS Digital in less than a week around cybersecurity. Last week it announced CareCERT, an SMS-based system to warn of cybersecurity incidents. CareCERT is being rolled out across the UK following a successful pilot.
Given the problems the NHS suffered earlier this year with the WannaCry ransomware attack, many will ask is: “Is this too little too late?”
According to Dan Taylor, Head of the Digital Security Centre at NHS Digital: “The Security Operations Centre will enhance NHS Digital’s current data security services that support the health and care system in protecting sensitive patient information.”
What is NHS Digital providing?
NHS Digital is not delivering this project on its own. It is looking for an experienced cybersecurity partner. It will offer them a contract of between three and five years to provide additional support for the project. The project itself will deliver:
- A monitoring service which analyses intelligence from multiple sources and shares guidance, advice, threat intelligence and remediation to relevant contacts in health and care
- On-site data security assessments for NHS organisations, to enable them to identify any potential weaknesses and to get the best value from local investment
- Specialist support for any NHS organisation which believes it may have been affected by a cyber security incident
- Ongoing monitoring of NHS Digital national systems and services.
How much of this will be delivered by the partner and how much by NHS Digital is unclear. It would make sense for the UK government to have access to its own threat intelligence service. This is something that the National Cyber Security Centre (NCSC) should deliver. At the moment it doesn’t. This raises the question of whether NHS Digital will subscribe to a partner’s service or buy in the data and build its own.
A partner certainly makes sense for carrying out the early stage data and IT security assessments. The size of the NHS estate combined with the complexity and age of its systems means this will not be an easy task. It will require parallel visits to thousands of locations to ensure that the overall assessment can be done quickly. Only at that point can NHS Digital begin to deliver any form of realistic service.
Ethical hackers to test NHS cybersecurity
Interestingly, in the press release Taylor says: “The partnership will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities.
“It will also allow us to improve our current capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software, and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats.”
The use of ethical hackers and the use of forensic analysts is important. Ethical hacking will allow NHS Digital to constantly test its own security. The question is whether they should be doing it themselves or using external penetration testing. This allows it to find weaknesses and address them before cybercriminals do. Using forensic analysts is also important.
Too often the data required by the police to trace and prosecute hackers is lost by poor evidence gathering after an attack. This is because the primary response to an attack is not to gather evidence but to get systems up and running. The forensics are also important in that they show how the attack was able to occur and what needs to be done to prevent a repeat.
Unfortunately this project is not aligned with the new CyberFirst Degree Apprenticeship. It would make sense for the NHS to work with GCHQ where the apprentices could spend part of their time inside the NHS. It would provide them with a different perspective on protecting systems and expose them to real world challenges.
Matt Lock, Director of Sales Engineers at Varonis commented: “The NHS must be able to attract and retain top talent, which is often a challenge for public organisations. An SOC is an important piece of the overall security posture for large organizations, but continuous improvement and advancements are critical parts of the equation.”
What does this mean?
It is easy to criticise the announcement of this project as ‘Too little too late’. It might have taken taking several cybersecurity incidents including WannaCry. However, at least NHS Digital is now doing something about it. This announcement does expose a more serious issue, however, at the heart of the UK governments approach to cybersecurity.
There is no mention of the NCSC or GCHQ. No threat intelligence or other service being provided to all central and local government departments. Instead NHS Digital is to buy in or build its own threat intelligence service which will inevitably mirror that of other departments. This is not only a waste of resources but a lack of joined up cybersecurity which creates opportunities for hackers to exploit.
Will this make the NHS harder to attack? It should, but much depends on how quickly and effectively this is implemented.
Perhaps the last word should go to Taylor who says: “By creating a national, near-real-time monitoring and alerting service that covers the whole health and care system, the SOC will drive economies of scale, giving health and care organisations additional intelligence and support services that they might not otherwise be able to access.”