Securing the healthcare IT supply chain
Andy E, former Director of Connected Nottinghamshire, the first chief cyber security officer for a system STP and, most recently, the first Chief Cyber Security Officer for an ICS at Birmingham and Solihull, looks at why it’s critical that the NHS takes IT supply chain security seriously. Have bad actors already found ways into healthcare systems which they are just waiting to exploit? What can we do to improve security across the piece?
In August 2024, at the end of my last guest blog for Imprivata, I thought that my next blog topic would be a look at legacy IT. However, dramatic events in the last quarter of 2024 changed my mind. There’s a topic so important that we can’t go on wilfully ignoring it or believing it’s fixed just because it’s become somewhat boring to talk about: the NHS’ critical systems are increasingly under threat from bad actors – be they cyber criminals, opportunists, or rogue states. We need to address this problem immediately and stop things becoming worse by outdated behaviours or inaction.
IT supply chains need securing. Now!
Just look at the last 12 months for evidence of how fragile the NHS IT supply chain is. One report from June: a pathology laboratory which processes blood tests for a number of NHS organisations was the victim of a cyberattack, which meant its services were unavailable online. Manual process workarounds had to be quickly introduced. The effect was that, by mid-July, over 6,000 appointments and procedures had been cancelled
Earlier in the year, one health board had 3TB of confidential patient and staff data stolen and held to ransom. The data was later published on the internet when payment wasn’t forthcoming. Police investigators acknowledged that "a criminal justice outcome" is unlikely to be the result.
There are many more examples, and the reported incidents are likely to be just the tip of a very large iceberg. Indeed, criminals may already be inside our systems via the metaphorical doors, windows, or skylights left open across our IT supply chain. They are just biding their time – because they can. For us, the problem is right here and now. And it cannot, must not, be ignored.
What are the elements of the NHS IT supply chain we need to look at?
In my view the NHS supply chain can be broken down into three categories:
- The traditional IT supply chain of technology and service vendors
- NHS England recommended and collaboratively developed systems
- General IT infrastructure underpinning day to day operations such as MS Windows; operating systems; access and security systems; cybersecurity platforms
Each of these categories have elements which can be addressed in common ways. At the same time, they each also have their own individual characteristics, which expose specific vulnerabilities, require proper configuration, and need tailored action. Let’s look at each of these in turn.
Vulnerabilities in the traditional IT supply chain
Firstly, the traditional IT supply chain often includes very well-known third-party national and international suppliers. These vendors are increasingly relied upon to provide key components of healthcare processes. One recent example was Advanced, a vendor that provides software to handle services such as NHS 111. To do this, it holds the public’s personal data on behalf of NHS organisations. An attack, discovered in August, took down several of the vendor’s health systems, including 111, medical notes, and organisation’s finance systems. Recently, the Information Commissioner’s Office (ICO) imposed a provisional £6m fine on the company, following the 2022 ransomware attack that disrupted NHS and social care services, as it also exposed the personal information of 82,946 people, including how to gain entry to the homes of 890 people receiving home care. And that is a real-world problem for anyone, let alone those who are the most vulnerable.
Securing NHS ‘insider’ systems
The second category of the NHS IT supply chain includes technology mandated by NHS England, along with those systems collaboratively developed with third parties, either nationally or within specific Trusts. The ransomware attack involving the pathology lab mentioned earlier is an example of this category in the supply chain.
When an IT system is being recommended to you by the body that is there to direct you strategically, it is tempting to take it on trust rather than apply the standards which you might normally to the selection of an external system. However robust a piece of software is, it is likely that the specific environment that each organisation will drop it into will be unique, which leads to the need to consider specific vulnerabilities and threats.
The liability, if problems occur, will of course fall on the individual NHS organisation - which should be enough of an incentive for Trusts to perform due diligence to verify recommended systems are robust, secure, and reliable. But all too often this is not the case.
Ensuring the general IT infrastructure is robust
The third supply chain category relates to the general IT infrastructure which enables day-to-day operations. For example, MS Windows, the underlying operating systems, and security platforms and tools. Such elements require frequent updates, upgrades, and security patches. These are installed into complex environments made up of products from different vendors which must work together seamlessly. It is not an easy task.
There are many examples of updates having to be recalled and backed out, or fixes causing unexpected knock-on problems. Once again, rigorous processes and testing in an organisation’s specific IT environment should be performed before updates are applied to live systems or rolled out widely. Sadly, with the lack of investment in many IT services brought about through “cost-cutting” exercises year on year, the time and resources are just not available to carry out this level of rigour.
Is your security software your weakest link?
By design, the technology you use to control access to your systems and to provide security from cyberattacks often has an open door right into the heart of your most critical technology. Unfortunately, if there’s a problem, this can bring down your critical systems and processes and can leave your data vulnerable.
The issues with a corrupted update to widely used cybersecurity software caused problems all around the world this summer, locking users out of Windows. Microsoft reported that 8.5 million Windows devices were impacted. Flights were cancelled, trains delayed, TV stations taken off air, GPs struggled to access records, and pharmacies could not access prescriptions.
This issue wasn’t a cyberattack by bad actors, but the ensuing mayhem opened the door for hackers and fraudsters to follow up with attacks and scams, often masquerading as providers of support and guidance to fix the problems caused. The only ‘positive’ is that the global publicity around the incident served as a wake-up call to what disruption could occur if criminals or rogue states did choose to use security software as a method of attack into the very heart of organisations, supply chains, and critical infrastructure.
What can we do to improve supply chain security?
The examples I’ve cited give a flavour of the failures that occur in the different categories of the NHS IT supply chain and the problems they can cause – but if you really want to frighten yourself, take a look at the Hostage To Fortune report from parliament’s Joint Committee on the National Security Strategy (December, 2023). This excellent document states the UK is “exposed to catastrophic costs and destabilising political interference” from ransomware and other attacks.
So, what can we practically do?
To protect the NHS, we first need to remind ourselves that we run critical systems vital to the health and wellbeing of the nation and its citizens. It is easy to be wilfully blind to the magnitude of the issues if we become overloaded by the day-to-day.
There needs to be a change in culture, we have to be less trusting and more rigorous. This can be applied upfront in the procurement process; it is far cheaper and effective to do it that way. Doing this means we have a hope of, at least, not making our problems worse by introducing new points of failure into the IT landscape.
Technology needs to be grouped by criticality. We should not bring in the same level of blanket controls across all systems and software when resources are scarce. For example, making a change to a website which just provides information doesn’t need the same level of rigorous checks which would be applied to a proposed change to technology at the heart of a clinical system. For these we need the enhanced, robust assurance processes. It should be appropriate to the level of risk; it is as simple as that.
We should examine what suppliers tell us thoroughly, asking questions. Where has the solution been installed before? Was it in a similar IT environment? What security and release checks does the supplier apply within their own organisation? If your suppliers are not using two-factor authentication to access their own systems and yours, then demand that they do. Otherwise, you’re leaving the front door wide open. In my personal experience, less than 10% understood what was really asked of them and most were surprised when asked to demonstrate compliance. Too often I had the reply “no one else asks for that” or “it’s on a framework so you don’t need that”, both tactics that may put many people off digging further. You should always be wary of those type of responses.
The more we can standardise requirements, collaborate across NHS and social care organisations, and share case studies and learning, the easier it will be to make the right choices. If we become more consistent in our approaches and demands, then we drive suppliers to up their game too. Again, I have seen the best suppliers do exactly that.
We have to realise that given the levels of cybercrime out there, someone is going to get through sometime. In fact, bad actors may have already breached your security and are just waiting for the right, most profitable moment to hit you with a ransomware demand or to cause maximum mayhem (or maybe just stealing your data without you knowing is enough). Business continuity planning and fallback systems, or even manual processes, need to be thought about even at the procurement and implementation phase. Business continuity planning should not be a separate exercise but baked in from the start. And regularly practiced!
Final thoughts
My own experience in the sector says you cannot take suppliers’ assurances at face value. In my opinion there is a rise in ‘snake oil vendors’. Slick salespeople offering a nirvana of IT solutions which will magically make all your problems go away. This is an attractive dream when resources are stretched. Alas, it will only ever be a dream, I am afraid. The NHS isn’t a greenfield, perfect environment with the option of lots of downtime to introduce unproven systems or to apply untested patches. Therefore, there is no quick fix.
Here, I’d like to praise Imprivata for the quality and efficacy of their solutions. They help protect all aspects of the NHS IT supply chain. They offer some great tools to mitigate your third-party access risks as an example, with very strong controls and processes.
One last, perhaps cynical, thought; the reality is that you just need to be less vulnerable than someone else – just don’t ever be the worst! Or use the worst third party of course! Criminals will move on to other organisations and industries where the pickings are richer and easier. Oh, and keep your fingers crossed, of course. Next time – I really will talk about the real world of legacy IT.
Editor’s note: This blog is part of a regular series that features industry experts. Imprivata invites those experts to share their insights and opinions, and they are under no obligation to mention or endorse Imprivata solutions. Content has been lightly edited by Imprivata for clarity and style, but otherwise is true to the expert’s perspective.