It’s time to face up to the real risks from NHS legacy systems and start to address your greatest vulnerabilities

Andy E, former Director of Connected Nottinghamshire, the first chief cyber security officer (CCSO) for a system STP and, most recently, the first CCSO for an ICS at Birmingham and Solihull, argues that without facing up to the reality of the risks inherent in the legacy systems used in the NHS, we cannot hope to protect ourselves from attacks and build resilience into our processes. The situation may be critical but there are tangible actions we can take today to start to address vulnerabilities head on.

What is the reality of the NHS IT estate?

If your organisation is part of the NHS and you don't consider that you have issues from using legacy systems, then you are leaving your organisation very vulnerable to attacks and system failures. These could have catastrophic results for patients, staff and senior management. The truth is that in every industry sector, country and organisation there are legacy system issues. All that differs is the awareness and acceptance of this fact.

Today’s IT landscapes are more complex than ever as they are composed of a blend of in-house software, cloud-based applications and systems run by supply chain partners. There’s a mixture of new solutions, legacy systems, software from IT vendors (which may or may not still be in business), and open source software which could be very visible or deeply embedded into other applications. There are probably very old versions of software and operating systems (OS) which cannot be easily updated – especially when the mix includes an estate of old and new hardware which will only work with different combinations of specific software and OS versions.

Do cyber security solutions provide answers

IT vendors and cyber security experts recommend that systems are kept up to date with all the latest security patches applied. This is to ensure that code changes developed to address specific security concerns are installed to keep the barriers to attack well maintained. However, there are many cases in the NHS estate where we simply cannot upgrade because the complex mesh of operating systems, proprietary and open source software, and hardware would no longer work together. If we did, critical systems would just stop running.

Applying cyber security software to help protect NHS organisations would seem to be one element of a solution to reduce vulnerabilities. However key features of these solutions such as automatic updates to software and operating systems, and auto-application of patches will just not work because of the reasons stated above.

One workaround is to create a ‘white list’ or ‘white space’ which includes the elements of the IT landscape which are exempt from automatic upgrades. However, bad actors are becoming increasingly knowledgeable about the vulnerabilities in IT environments. If discovered, the white list and white space simply provides the ‘enter here’ instructions for attackers.

Problems will flow through the system

Any problem or vulnerability with a legacy system is like pollution into a stream that is then a tributary into a small river, which in turn feeds a larger waterway. The issue flows throughout the whole system, it picks up speed as it goes becoming difficult to stop, and it is completely unpredictable as to where it might end up.

As more elements of NHS processes and services, such as blood testing and GP patient records, are provided by or data is held by third party suppliers, then further vulnerabilities are added. Even good suppliers which you have interrogated as part of a rigorous selection process can’t avoid inherited problems in software from legacy and inherited core libraries. Regular monitoring and testing of supplier solutions would help minimise the issues but that would add a hefty weight to already overburdened IT staff.

So what can we do?

It’s VERY hard to move away from legacy systems and there are high costs to fix the problems. Often IT suppliers cannot update very old systems or the businesses no longer exist. Contracts which state terms and limit liabilities were often made several NHS reorganisations ago by organisational entities which are long gone. Staff may have moved on and so expertise and corporate memory are ebbing away.

A simple, cost-effective strategy to increase protection would be to limit access to the internet to as few devices as possible. But as we move towards a cloud-first strategy, internet access becomes essential for many staff members, increasingly by mobile devices, so good quality asset management, risk management and identity management become vital weapons in our armoury to protect the organisation.

Understand and mitigate risks

Ongoing exercises to identify, manage and mitigate risks must be a high priority, understood by and driven from, the top of the organisation. Real cases have shown that any IT outage of more than 48 hours can result in a 24% increase in mortality and morbidity. So it is critical that the COO and CEO understand the potential impacts and, plan for how they will ensure the continued performance of the organisation to treat patients for up to the 6 month aftermath of a major attack. The CFO should understand that the potential financial implications could run into millions of pounds.

Legislation in the USA which could see CEOs go to prison for IT failures can act as a conversation starter to show the seriousness of the situation. The organisation must assess and mitigate the risk to patients.

Proof of identity becomes a key tool to increase security. Effective identity management with two-factor authentication is vital to protect the perimeter of the organisation and then for access to specific systems. Many legacy systems do not currently have such capabilities and so introducing them rapidly is very important, especially as the requirement for remote access via mobile devices grows.

Design to handle failure

For both new and existing systems you must design in resilience even when those systems are under attack. Design in how a system can fail but in a controlled way. The human body when under threat offers a model. When the body is attacked or faces a critical situation, controlled failure comes into play. Extremities may be sacrificed to keep the heart and brain functioning for as long as possible. Doctors might need to sever limbs to preserve life. It sounds harsh to talk in these terms but the reality is that the majority of harm is done when systems are just switched off to try to halt problems in their tracks.

While legacy systems do need to be updated, we can live with the situation if we do things to mitigate the risks. Taking steps to adhere to new regulations such as NIS2 can act as a catalyst for action and the NCSC’s CAF (Cyber Assessment Framework) can provide the methodology for improvement.

Final thoughts

It is the reality that the NHS has an increasingly complex IT estate and that legacy systems, which cannot easily be replaced, increase the vulnerabilities to attack. The situation is serious and there is no silver bullet or way of easily buying ourselves out of the predicament. The most important thing is to realise this and face up to the reality. You can then prepare to protect yourself with your eyes open. There are proactive steps you can take to safeguard systems and patients, rather than stumbling into a reactive mode when faced with cyber incidents and failures. Be focused and be bold.