8
February 2018

Cybersecurity in the NHS (part two) – Separating people from passwords

Andy Harris

Privileged Access Management for the NHS – A troublesome political climate has put the NHS, like many other Public Sector organisations, under immense pressure to cut costs and drive operational efficiencies whilst simultaneously embracing new digital methods, in a bid to improve services. As a result, proper and entirely necessary data security controls have not yet been totally embraced…

As the NHS seeks to improve, the outsourcing of IT contracts has increased, and data security controls that should protect staff and patients during digital change have been neglected. One recent cyber-attack, for example, was in part due to a hospital not updating computer systems and leaving frontline Windows systems vulnerable. This lack of data integrity and quality harm the public’s trust within an organisation, and that is something the NHS surely cannot afford to let happen.

Last year, however, the Government announced that it was officially on board with a National Cyber Security Strategy. The new NHS budget for 2017/18 is £124.7bn ($166.6bn), a weighty sum that is close to the GDP of Kuwait, $110.9bn*. Chancellor Philip Hammond’s announcement of the £1.9bn additional investment in cyber-security funding looks set to change the face of public sector cybersecurity.

The Government’s ‘Your Data: Better Security, Better Choice, Better Care’ report announces that to strengthen the safeguarding of information, the National Data Guardian’s position will be put on a statutory footing and stronger sanctions will be introduced by May 2018 to protect anonymised data. This will include severe penalties for negligent or deliberate re-identification of individuals.

The report also announces plans to provide patients and the public with greater access to, and control over, their personal data, and supports research, training and planning across the health system to build confidence in the importance of secure data to provide better care and service.

The Government’s new cybersecurity strategy aims to make the UK the safest place in the world to do business. Staying a step ahead of the cybercriminals will require strong collaboration between the Private and Public sectors in terms of research and development of cyber security technology and software. Collaboration and efficiency through technology and cybersecurity is essential.

NHS Digital have stated that the “overarching objective is that by 2020 we will have revolutionised the way technology, data and information are used to transform the delivery of England’s health and social care services.”

The top four areas of weakness for the NHS in terms of cybersecurity are currently identified as:

  • Compromised privileged users (including users who are unaware of being compromised)
  • Inadequate IT architecture / systems
  • Inadequate staff training on security protocols
  • Not enough skilled employees to protect data or systems

In essence, it’s about gaining control. Privileged account abuse is one of the most critical security challenges that face businesses today. Every IT infrastructure is managed by these privileged users – users granted elevated control through accessing privileged accounts to ensure that the uptime, performance, resources and security of the infrastructure meets the needs of the organisation. Uncontrolled access to these privileged accounts by insiders and third parties (such as the many NHS contractors) leaves an organisation utterly vulnerable to data leaks and breaches – ultimately causing irreversible damage to both the organisation, its’ reputation and its trust with patients.

Permanently removing the risk

The use of digital technology will increase over the next few years, and its essential for any business plan to learn what it can mean for improving outcomes, and how to use it to improve efficiency and grow opportunities for your business.

Privileged accounts and their users need addressing as the gaping hole in every organisations’ security that they are. Osirium’s Privileged Access Management solution, the PxM Platform, addresses both security and compliance requirements by defining who gets access to what and when.

End-to-end accountability

The PxM Platform enables every privileged account on every device to be given a particular, defined state. Businesses can use the solution without making any changes to their device estate. Security and compliance can be incorporated through mapping who can use these accounts, and what happens to the passwords used to access them. Rules can be defined per-device; ensuring that password compliance policies are not only met but exceeded. Individual, complex, generated passwords are used for every managed account, preventing users from moving laterally without permission.

Osirium’s  Privileged Access Management solution provides a full audit trail to show exactly who has accessed what, where, when and how, along with a full detail of the identity to role mapping used. This gives personalised details to every audit trail created by the device – rendering this information immeasurably more valuable to SIEM systems. This allows for seamlessly augmented integration with existing solutions, fully eliminating the need for any manual cross-referencing, and any worrying about data breaches.

*World Development Indicators database, World Bank, 15 December 2017