By Sascha Giese, Head Geek™ at SolarWinds
Winter is usually a challenging time for the NHS, which faces added pressure to manage the inevitable seasonal colds and flu. Looking back on last winter, The King’s Fund reported nearly all NHS beds were occupied, with as many as 18,000 patients a day arriving as emergency admissions during February 2019. This year, the anticipated winter surge of COVID-19 infections are likely to increase the load on services and resources in unprecedented ways.
While the world is buoyed at the prospect of an effective coronavirus vaccine, which sees the NHS tasked to be ready to administer from December 1, the U.K. government has cautioned there’s still a lot of ground to cover, with the publication of safety data still pending before any rollout can begin. In the face of all this, how can technology play a bigger role in helping to deliver infrastructure that’s reliable, resilient, and secure, with the ability to flex effectively when demand dictates?
Older Technology Needs Careful Attention
For a public sector organisation with over 70 years of history, the NHS will inevitably feel the impact of ageing IT. Even when the technology continues to do the job it was built for without obvious issues, this “legacy” can carry with it an unwanted array of embedded problems, including reliability, collaboration, performance issues, and an inability to scale. When older hardware and software is in daily, mission-critical use within organisations as large and complex as the NHS, the technical and financial issues associated with replacing it are intimidating.
A good example is Microsoft® Windows® 7, which reached its end of life in January this year, meaning updates of security fixes for older operating systems would be discontinued. It’s an operating system widely used across the NHS, which is why NHS Digital has advised it’s leveraging the extended support period from Microsoft to allow sufficient time to upgrade all remaining devices still running Windows 7 before it ends in 2021.
Apart from the challenges of upgrading the approximately 1.37 million PCs and laptops used in the NHS, this is a clear example of the sheer size of the task involved for any wholesale technology change. And the process can take years—indeed, five years after Windows XP went “end of life,” the NHS still had around 2,300 computers using XP.
There are always going to be challenges with using legacy technology. Even so, the key to keeping systems functioning as optimally as possible is to minimise risk through deploying the necessary technology and training to keep them secure, as well as reduce the negative impact of a potential systems failure. Every organisation will face these issues; what’s important is how well they cope with them.
Putting Cybersecurity Front and Centre
Creating a strong cybersecurity posture targeting the key requirements of detection and prevention requires a coordinated approach from the top down. At a leadership level, efforts should include improving security best practices. For example, because the NHS employs around 1.7 million people, the risks presented by insider threats, whether unintended or malicious, are large. Indeed, the security risks from insiders can often be more numerous and acute than those coming from external criminal hackers or foreign governments.
As a result, end-user security awareness training, network access control, and effective patching are among the best routes to improving insider threat detection and prevention. In general, organisations investing in best practice often see an improvement in security effectiveness, and processes such as employee background checks can play an important role in controlling the risks presented by malicious insider threats. These should form part of “basic security hygiene” for the NHS and will prove of immense benefit under almost all circumstances.
But this only represents part of the challenge. In their attacks against hospitals, cybercriminals probe apps, systems, and environments, trying to find critical servers where Personally Identifiable Information (PII) resides. These tactics make multi-layered defences essential to augment hospital network security with intelligent threat monitoring, triggering alerts, and automated incident response software to quickly remediate cybersecurity issues.
The ongoing challenge for the NHS, however, is one of funding. In the case of more advanced and sophisticated security tools, for example, the shopping list can be long. However, to help reduce the risks of security problems exacerbating the wider winter pressures, intrusion detection and prevention tools, endpoint and mobile security, web application firewalls, and encryption technologies are now “must-haves.”
Technology alone can certainly not remove the pressures on the NHS, particularly now when it’s facing a winter-long COVID-19 second wave. But it can play an important role in maintaining the efficacy of an organisation to deliver infrastructure that’s reliable, secure, and with the ability to flex with demand when it’s most needed.
