The NHS security culture problem is a crisis years in the making

Any security measures in the NHS are going to have to fight the NHS's ambitions to share data with .... well, who?

A while ago there there was some initiative to gather patient data into some sort of arrangement to be shared with researchers. With a scientific background and a clinical trials specialist in the family I wasn't against this but wanted more details before allowing my own data to be included. The first round of questions only brought forward answers that were so woolly as to raise more questions. The second round of questions were never answered.

From my experience of working in IT for the NHS I would say 95% of clinicians don't give a hoot about security. They just want the computers/systems to work. Also, I have said for a long time that if the politicians are serious about the NHS surviving they all need to sit down, with people that actually know what they are talking about, agree a ten and twenty year plan and stick to it, regardless of which faction of half wits are 'in power' I know the chances of that happening are slim to negligible but we can all dream.

Procured kit needs regulating too.

Anonymous for obvious reasons.

I know of kit that still runs on xp over the lab networks. With nothing more than a hard to guess name for the SMB share for security. The vendor has recently moved to Win 7 for their new kit, but the same issues persist.

Toughen up the procurement policy to make sure that this cannot be allowed, make vendors HAVE to keep the kit OS updated for a minimum number of years. As well as make the board and dept heads responsible for not following security best practice and this would a good chunk of ancient insecure kit rapidly.

"Board member"...?

You're unlikely to see any senior managers in the actual hospital. They have their own gated communities on sites well away from smelly patients.

Good times

...says a lot that healthcare insiders actually miss the COVID-19 pandemic, because during that time they say the NHS was, for the first time in their careers, agile enough to allow improvements to be made without the usual onerous approval stages.

Apart from the .... well everything that happened ... absolutely this. There was a period of time at the start of the pandemic where the blob lost control and it was beautiful. Didn't last long.

Not the UK NHS

I'm not saying this isn't the same in Wales, Scotland and Northern Ireland but I think the article is talking about England (overseen by NHS England). Health is a devolved matter for the rest of the UK. And digital services are managed 'once' I believe. Rather than permitting each organisation to do what the Director of IT thinks is best.

A very well positioned article though. Would also reference the challenges of safely and securely attempting to integrate different systems (new and legacy) into single patient administration systems. The general disconnect between systems in different organisations and geographies that is attempting to be tamed through big procurement (££££) and the lack of basic meaningful training for new and existing staff (not just e-learning to tick a box).

The magic word is.....

Accountability. Right now this is an anonymous bucket into which are tosses study after study. Need to humanize this and make it more impactful

Until Managing Directors and CIO/CISOs start losing their jobs and pay packets, not much will improve or change.

Problems and solutions.

If you made any position liable for security breaches, no sane person would take the job and anyone in it would quit.

To stay in such a position I would cut off internet access to every system in the hospital and turn off the WiFi. GPs would have to go back to requesting appointments by phone, post or fax. Tech cannot be locked down reliably enough. Everything would be intranet only and data would only leave the hospital on paper by courier. Websites would be produced and run by a third party and only offer basic information. They would not contain any patient data or be able to access any.

Alternatively you could spend the budget on a reasonably secure system (OK bar zero day hacks) run by fully trained IT staff, built afresh from the ground up and never touched by medical staff. If you had any money left you could hire someone once a month to offer general healthcare advice in the otherwise empty building.

We go back to simpler, less networked tech that does not connect to the net, or we continue to get turned over on a regular basis.

Incidentally, paying ransom gangs isn't an option for the NHS as they don't have the cash. Generally, it isn't a good idea anyway, as, at risk of shocking you, crims are not trustworthy. They will simply nab your cash as well as flogging your data.

When did NHS management ever take responsibility for things going wrong? They're not there to make you better, they're there to keep you ill and a client. How else can you grow a healthcare organisation and there's a very rewarding opportunity in Pharma when you leave if you push the drugs for them.

Not that I'm a cynic you understand just that my dementia is worsening from the statins.

The NHS is big. Really big. You just won't believe how vastly, hugely, mindbogglingly big it is. I mean, you may think it's a long way down the road to the chemist, but that's just peanuts to the NHS.

It's also not one thing, "The NHS" is a bag of marbles under one title, all with different legal statuses, managment structures, budgets, aims etc.

Bringing that into some form of coherance will take time as well as money and as mentioned by others if politicians like to come in and shake it up up every 4yr or so the job will never happen.

My first interaction with NHS IT about 20yr ago was a bit fightening as the team had no concept of server hardening, patching or any maintenance, it wasn't a refusal to do it, they really has no concept of it at all. Vanilla out the box and left was what they did. Years later further interactions showed a vast improvement and they worked well with the local authorities around them as well.

NHS Trusts are a bit like schools in that the management largely comes from the ranks, which means they often come with a closed mentality. Security guys don't help themselves or the organisations by often adoping risks and responsibilities they shouldn't so as not to bother the board. Risk and governance are your friends in this circumstance.

Following their own defined processes, you have to play the game. THEY own the risks and raising of the risks to the appropriate forum is how you start the process of education the board of their responsibilties. If they don't like to follow their own governance then you document and you record and you cover your arse.

Infosec is 90% psychology and 10% technology.

Medical software is a multitude

records are mostly write only. By all means write them onto something that can't be rewritten.

Automation is more interesting, but one size does not fit all.

And the better way to do research is to carefully write the question, then send it out to the multitude of organisations, and get back numbers, rather than getting all the data and then sifting it on your own different system.

The main GP system suppliers are owned by people I worry about...

And of course it should never have been proprietary code.

There needs to be a shift in the NHS and public

I worked in the NHS for 15 years in IT and Cybersec.

The problem is the focus on privacy, yet they never fully adopt the necessary controls and standards to properly manage data security while maintaining confidentiality. The need to access and share always trumps security and privacy, always.

Now look at recent breaches, when those organisations responded the focus was getting operations back up and running, not privacy.

So during BAU we are obsessed with privacy, but when the brown stuff actually hits the fan the focus moves entirely on restoration of service. That's the problem - they need to follow other sectors within the NIS Regs and focus on availability of the essential service.

I'm convinced privacy won't actually be negatively impacted by this, they play at doing it anyway, but with more resilience built in, focusing on availability, when incidents do happen they will be less impactful so the core "service" will still be able to deliver health care.

This however is a public relations disaster even if privacy isn't impacted, as the ICO cannot see past it's nose.