The NHS faces a growing cyber threat, with the supply chain particularly vulnerable. What is the nature of the problem – and how can it be solved?
The health service procurement process is as complex as it is important. Cybercriminals will choose the simpler attack option, and this weak link is often found down the supply chain.
Elizabeth Giugno is the Cyber Security Category Manager at Crown Commercial Service (CCS). In a recent article for Digital health, she noted that the NHS has seen a “significant increase in cyber attacks since the start of the pandemic” and flagged the procurement process as a key part of cyber resilience.
So how exactly do cyber attacks threaten the procurement process? A report from the National Cyber Security Center (NCSC) from November 2021 found that ransomware attacks are unsurprisingly a priority for healthcare. This highlights the danger of social engineering – where a victim is tricked into opening the doors for an attack – and the threat posed when systems are not up to date with security protections.
“The NHS struggles to deliver devices with current and supported operating systems and in particular to keep them maintained and patched once they are installed,” says Phil Howe, CTO at Core to Cloud, who provides cybersecurity technologies and services to the NHS.
“Ransomware is clearly the major problem facing healthcare today,” says Dr Saif F Abed, founding partner of cybersecurity consulting services at AbedGraham Group, a regulatory affairs and management consultancy firm. health risks. When products and services are under consideration, procurement processes must be robust enough to judge their resilience “in the face of increasingly sophisticated attackers”.
Doctor, heal yourself
Dr Jacqui Taylor is CEO of Cloud Services Architects FlyingBinary and adviser to the UN on the effective use of new procurement practices. She highlights the complexity of the healthcare service and the impact it has on the supply chain:
“We always discuss the NHS as if it is an organization – it is not,” says Taylor. “It’s a complex series of organizations, most of which have autonomy over how they purchase services and often the services they provide.
Take general practitioners, primary care physicians who are often the first contact for patients. There were 35,146 GPs in the UK in 2020, whose surgeries operate like small businesses. In such a fragmented area, interoperability is a key weakness in NHS supply.
“From a cybersecurity perspective, the NHS is a distributed organization that is connected by technology,” says Taylor, an organization where “cyber risks are neither quantified nor understood, certainly not by the majority of people who are there. working “.
Mitigate the risk
Unsurprisingly, there are many measures already in place to help secure the NHS supply chain against cyber attacks. These include the DCB0129 mandatory clinical health risk IT standard, under which vendors must show that they have compared and assessed the impacts on patient safety if their solutions were compromised. There is also the Data Security Protection Toolkit (DSPT), which requires basic technical security standards and packages. 10 safety standards around people, processes and technology to help guide trusts. “Both can help reduce the risk of purchasing,” says Abed.
Then there’s the Edge4Health platform, which aims to streamline processes between vendors and providers while increasing compliance. This should provide procurement teams with a more agile way to engage with suppliers, while creating transparency in the process, according to Abed.
The problem from a purely cybersecurity perspective is that it’s hard to judge its actual success. The reason, according to Abed, is that integrating standards and auditing their applications after procurement are “distinctly different challenges.”
Taylor says the platform is another example of the wheel reinvention, something the NHS “is famous for” for. Indeed, the one-stop-shop idea is “almost but not as comprehensive as the set of e-services that NHS Digital recommends through the NCSC framework,” she says.
And then there is the accreditation. Is it realistic to expect requirements such as ISO27001 or Cyber Essentials / Plus to extend throughout complex supply chains?
It’s about reviewing the controls in a statement of enforceability, says Howe. They make it possible to “show that a supplier has implemented, documented and audited its internal security”.
However, while agreeing that these basic standards are positive, Abed cautions that they are not specific to healthcare. Ultimately, “accreditation is just one step in a complex process to effectively manage risk,” he says.
Supply chains are more vulnerable than ever in all sectors. This presents a particularly delicate challenge for the NHS. Ultimately, asking tough questions of the entire supply chain is key to avoiding weak links in the NHS procurement process.
“Further investments in auditing suppliers and supporting local procurement teams” will have a significant impact, while ensuring accountability, concludes Abed.
As for the vendors themselves, Taylor says without NCSC Cyber Essentials accreditation they “have no chance of understanding how to work across the whole NHS field.” Any supplier must understand the importance of scale in such a large and complicated operation. “As a vendor, I recommend that you take the scale proposition up front to be sure you have the cybersecurity controls you will need.”