Image source: istock.com/LeoWolfert
Staffordshire and Shropshire Health Informatics Service is showing how to strengthen resilience among a group of organisations, writes Emma Velle, cyber security specialist at Cisco UKI
The creation of integrated care systems (ICSs) has a great potential to improve patient care, but it comes with serious challenges on the cyber security front.
As organisations link their digital systems within an ICS, this creates a wider attack surface for hostile actors and increases the risk of disruptions. One of the fundamental building blocks in the integration of care is to develop policies and deploy the technologies for robust security and high levels of resilience.
At Cisco we have a vision for cyber security as an enabler for mature integrated systems in which all the stages of the patient journey are properly protected against cyber threats. This requires an approach focused on outcomes rather than the capabilities of any individual technology.
One of the organisations facing up to the challenge is Staffordshire and Shropshire Health Informatics Service (S&SHIS), an IT shared service providing operational support for multiple NHS and local government organisations in the counties.
Its head of technology, Richard McCue, told the recent UKAuthority Resilience and Cyber4Good conference that the challenges come with the core function of allowing people in different organisations to access a patient’s care record when appropriate, and that the risks are rising with rapid evolution of cyber threats.
S&SHIS provides a number of central services for which it manages the security, including a shared public service network for the region, shared data centres and a recently deployed joint 24/7 security operations centre.
It is also using a number of Cisco solutions to preserve resilience around the system. This includes Dot1x to identify and block access to the network from any unapproved devices, ensuring that data is protected and reducing the risk of malware creeping in.
Another is TrustSec, which provides software defined segmentation of a network to isolate any threats and protect assets across the system. And it uses Cisco Secure Network Analytics and Encrypted Traffic Analytics for a clear view of the activity on the network to spot any threats.
McCue emphasised, however, that: “The technology should come at the end. We should have the policies and guidance defined so we can align the technology to those business policies.”
Support from the top
In turn, these need robust support from the top of the organisations involved, as this will help to overcome the inevitable pushback from some quarters in which people resist changes to their ways of working.
He cited the example of a policy to require multi-factor authentication (MFA) for accessing systems. As was with most new policies it ran into opposition at various levels, but it was possible to overcome this because it had gained approval at the top level of the organisations. This took a significant effort, but McCue said it made all the difference in ensuring the policy was widely adopted.
“As that goes further up an organisation it’s more difficult for someone who’s a service desk or technical engineer to say no,” he said. “One of the biggest problems we have is getting those policies appropriately approved so they are distributed in a way that people know they apply. But it really needed to come from the top down that the MFA policy applies and it has to apply to everybody.”
Other policies have been put in place for issues such as change control and incident management, accompanied by those within the operations directly controlled by S&SHIS. McCue referred to the example of running vulnerability scanning from the security operations centre rather than relying on annual penetration tests.
It has also been prepared to reshape policies when feedback has made clear that practicalities can make them difficult to follow, or responses to incidents have identified potential weaknesses.
“One of the things that have come from mitigating phishing and drive-by attacks is that we have used it to put in place further improvements in security. One of these has been that we have put in app blocker controls in, so that even if you have administrative access and try to run an application that you shouldn’t, you can’t.”
An important stage in this is that such changes go through the organisation’s intelligent customer forum of IT leads to discuss the reasons and implications.
This relates closely to the Cisco perspective of needing to shift the focus to the drive for positive outcomes, both for the organisations and in patient care. It has developed its Extended Detection and Response (XDR) approach, which involves four priorities. First is to ‘detect sooner’, asking where an organisation is most exposed to risk and how good it is at detecting attacks early.
Second is ‘prioritise by impact’, focusing on attacks that have the largest material impacts; and third to speed up investigations to understand the full scope and entry vectors of attacks. Finally comes the need to accelerate the response, looking at how much can be automated and whether the organisation is quantifiably getting better.
In healthcare this has to involve a firm focus on patient outcomes. McCue made the point that this a crucial step in overcoming any resistance to policies, emphasising to the people at the technical end that it is all directed at improving patient care.
Aligning this with the mindset to constantly review and improve the policies should be a foundation of cyber resilience in integrated care.
He concluded: “The important point is that it’s not about saying ‘We’re doing this and that’s the end of it’. It’s about ‘This is why we’re doing it, what we’re preventing, and how can we make it better?’ It’s that constant improvement piece.”
You can watch Emme Velle and Richard McCue’s session from UKAuthority Resilience and Cyber4Good here