Skip to content

The challenge of security 'unknown unknowns' in public sector healthcare

Telerik.Web.UI.WebResource (12)

Effective Patient care requires a collaborative approach to deploying effective cyber security 

By Tracy Scriven, Director of Healthcare at PSTG.
T:   +44 (0) 7925 051 060
E: tscriven@pstg.co.uk
Connect with Tracy on Linked In

The challege of security unknown unknowns in public sector healthcare

The world of technology and highly connected, modern day hospitals rely on vast networks of information systems combined with advanced medical capabilities that provide long term care and short-term specialist services. With a high level of staff and digital services running 24/7 and even greater number of patients the overall system is complex and data volumes high.

Availability, confidentiality and integrity of care systems and services is expected - and is essential. 

NHS trusts not only face financial pressures with managing their technology budgets, but they also have a costly security risk to tackle.  

NHS trusts are faced with a broad spectrum of threats, ranging from the highly sophisticated and targeted to more general low skilled (and even automated) and opportunistic cyber-attacks. The very nature of medical data means that it can be a valuable commodity for attackers. 

What we do know from the WannaCry ‘wakeup’ is that current cyber security must continuously evolve in a way that provides the best in patient care assured by information systems that are secure, safe and reliable.

A cliché but most organisations are hit by the unknown unknowns

Recently we came across an organisation that really understood the cyber risks it faced but chose to only invest in cyber security once they had been breached. Others become breached due to a range of chinks in their armour. Many of these times the security team didn’t really know the vulnerabilities exist, let alone know how to deal with them.

To combat this, PSTG have started looking at the ‘why’ rather than the ‘what’. Why is the security posture of organisations deficient?

The answer to this isn’t simple or specific. The answer appears to stem from the rate of complex technology adoption exceeding an organisations ability to truly manage something which few understand let alone can integrate into complex organisations and keep maintained. As technology has developed, it has done so without a real understanding of the security implications.

Only as time has marched on and hard lessons hit home has technology security started to be baked into solution vendor DNA, let alone the consuming body. At the heart of this challenge, is the lack visibility into organisation’s network and the assets which exist to make up the information systems. If you don’t know it’s there, how can you protect it? Business demand and constraints combined with ever increasing complexity create a scenario which isn’t going to be solved by a knee jerk purchase of a turn key solution or simple penetration test.

A collaborative approach with NHS Trusts to tackle the challenge 

To tackle the cyber challenge requires understanding. We need to understand the landscape from people, processes, products and partners - what we are protecting and what we currently have to protect it? Once we have taken stock of this we can then start to look at risk-based actions to make targeted decisions to improve the security posture, both tactically and strategically.

This isn’t just based on theory, not only have PSTG designed a service for this we’ve conducted this with a number of NHS organisations. By taking a holistic view discovering the current state, looking at the threat landscape, the critical assets and service architecture we then can see the gaps between the target state and where we are today.

Plan through to change chart

​Without boiling the ocean, we’ve taken a Demming based approach (PDCA) to review organisations and information systems to work out strategies for improvement which focus on actionable, effective and simple ways to combat security risks which focus on not only protecting but also on improving business value.

Whether it’s tackling the unknown or seeking assurance on strategy to improve security posture and enhanced cyber resilience, the goal is to deliver better patient outcomes, and ensure the right steps are taken to stay one step ahead of current and emerging cyber threats.

Understanding your security posture and how PSTG can help.

Carrying out a consultation with a PSTG security expert followed by a Security Posture Assessment (complimentary) we can provide you with a ‘did you know’ report on your landscape. With more insight from your people, a deeper understanding of your processes, products and partners we can assist you in building a risk-based roadmap to make targeted decisions to improve the existing security posture.

Please contact us for a data sheet on our Security Posture Assessment and confirmation of availability for our consultation with one of our vendor-agnostic security experts.

Share this article