Emma Velle, Cisco’s cyber specialist for the NHS and local government, conveys the Lancashire and South Cumbria Health and Social Care Partnership’s perspective on the issues
It is now widely known in the health service that the cyber threat is ever present, and there is a growing realisation that it will intensify with the increasing use of connected medical devices and internet of things (IoT) technology.
A growing number of tools are on the market to combat the threat, but they will not be sufficient by themselves to keep it at bay. Resilience depends as much on organisations and people as it does on technology.
David Willis, senior information security officer for the Lancashire and South Cumbria Health and Social Care Partnership conveyed this point in his presentation to the recent UKAuthority Resilience and Cyber4Good conference.
He said the dynamics of cyber security in the health and care sector are changing with the gradual integration of health and social care and a lot of factors affecting the demand for healthcare beyond the remit of NHS, such as those in housing and environmental health. The health service has to work and share information with other organisations, which creates the potential for more points at which its digital infrastructure could be attacked.
Defending these should involve not just finding the right technology tools, but its cyber specialists fully understanding what their organisation does, what are its challenges and costs, the points where its infrastructure could be threatened, and what will be the impact if IT fails.
Explaining the role
“It’s a big ask, but the more you begin to understand what happens if it fails the more you will be able to explain need for your role,” Willis said.
Equally crucial is to ensure the organisation’s senior people understand what the cyber team does and that it does not have sole responsibility for security. It helps to talk to them not so much about technology but risk and the business benefits from strong defences, with an emphasis on how the infrastructure supports the information they need to do their jobs.
“The better the relationships built the better the outcomes,” he said.
Working with Cisco, the Lancashire and South Cumbria Partnership has developed an approach for resilience involving four key steps. First is to get full visibility of the cyber risk at the local organisational level, and second to develop a solution for responding to incidents in real time. Third is to understand the capacity, capability and sustainability of the teams involved, and fourth to stage a series of regional events for digital emergency planning, resilience and response.
Willis said a programme is underway to create a response solution that is granular and automatic, and that technology tools have now been deployed in three of the five NHS trusts attached to the partnership’s network, applied not just to computers but IoT devices and clinical equipment.
“The last one’s hard to do,” he said. “The kit links into the network infrastructure so we can microsegment at network level to give us control.”
These tools provide a picture of which staff are logging into the systems at which times, the information they are adding and which clinical equipment is being used, not just by one organisation but others in the partnership. The latter point can provide additional benefits: one in making it possible to spot spare capacity and when necessary redirect patients to another of the partners; another in providing information that can be used in a safe ‘playpen’ environment for staff training.
It can also be shared with other organisations to spread the message of where there could be risk in the system.
“What we now we need to do is integrate the tooling with tooling in other parts of the business,” he added. “We need to know where kit sits by pulling information from information asset registers then further populating them. And we have to allocate people responsible for that kit.”
He emphasised the role of people and the need to build the overall capability, saying: “Cyber is a team sport and we are only as strong as the weakest link.”
The need for such efforts is being intensified by the move towards integrated care, and the fact that most of the organisations involved were initially set up well before digital infrastructure became integral to their operations.
In South Lancashire and Cumbria there is an ongoing effort to turn them into digital organisations with the provision for a robust defence against cyber threats. This comes with the need to strengthen the understand that sharing information will be a crucial element of their operations, within the parameters of what information shared be shared and with which people.
It reflects the priorities of Cisco in its work with the health and care sectors. It sees the need for their digital and cyber capabilities to evolve as their structure takes a new shape, with a strong emphasis on information flows, data sharing and information governance.
It is also in collaboration with the University of Central Lancashire in providing its Network Labs for students and the Cisco Networking Academy to encourage more young people into cyber security.
We are on a journey towards keeping health and care secure and building trust.
Cisco provides a range of cyber security products and solutions that can all be integrated within its SecureX security platform. You can obtain full details from here
You can view Emma Velle and David Willis' session at AI & Data4Good 2022 below: