Cybersecurity in the NHS – Separating people from passwords
Wednesday 28 March 2018
Troublesome political climate has put the NHS, like many other Public-Sector organisations, under immense pressure to cut costs and drive operational efficiencies whilst simultaneously embracing new digital methods, in a bid to improve services. As a result, proper and necessary data security controls have not yet been totally embraced…
As the NHS seeks to improve, the outsourcing of IT contracts has increased, and data security controls that should protect staff and patients during digital change have been neglected. One recent cyber-attack, for example, was in part due to a hospital not updating computer systems and leaving frontline Windows systems vulnerable. This lack of data integrity and quality harm the public’s trust within an organisation, something the NHS cannot afford.
Last year, however, the Government announced that it was officially on board with a National Cyber Security Strategy. The new NHS budget for 2017/18 is £124.7bn, and Chancellor Philip Hammond’s announcement of the £1.9bn additional investment in cyber-security funding looks set to change the face of public sector cybersecurity.
The Government’s ‘Your Data: Better Security, Better Choice, Better Care’ report announces that to strengthen the safeguarding of information, the National Data Guardian’s position will be put on a statutory footing and stronger sanctions will be introduced by May 2018 to protect anonymised data. This will include severe penalties for negligent or deliberate re-identification of individuals.
Top four areas of cybersecurity weakness in the NHS
The top four areas of weakness for the NHS in terms of cybersecurity are currently identified as:
- Compromised privileged
- Inadequate IT architecture / systems
- Inadequate staff training on security protocols
- Not enough skilled employees to protect data or systems
It’s about gaining control. Privileged account abuse is one of the most critical security challenges that face businesses today. Every IT infrastructure is managed by privileged users – users granted elevated control through accessing privileged accounts to ensure that the uptime, performance, resources and security of the infrastructure meets the needs of the organisation. Uncontrolled access to these privileged accounts by insiders and third parties leaves organisations vulnerable to data leaks and breaches – causing irreversible damage to both the organisation, its’ reputation and patients trust.
Permanently removing risk
Osirium’s Privileged Access Management solution, the PxM Platform, addresses both security and compliance requirements by defining who gets access to what and when. The PxM Platform enables every privileged account on every device to be given a particular, defined state. Businesses can use the solution without making any changes to their device estate. Security and compliance can be incorporated through mapping who can use these accounts, and what happens to the passwords used to access them. Rules can be defined per-device; ensuring that password compliance policies are not only met but exceeded. Individual, complex, generated passwords are used for every managed account, preventing users from moving laterally without permission.
Furthermore, the PxM Platform provides a full audit trail to show exactly who has accessed what, where, when and how, along with a full detail of the identity to role mapping used. This gives personalised details to every audit trail created by the device – rendering this information immeasurably more valuable to SIEM systems. This allows for seamlessly augmented integration with existing solutions, fully eliminating the need for any manual cross-referencing, and any worry about data breaches.
Learn more about the PxM Platform at Osirium’s IPEXPO Manchester stand U616. Don’t forget to attend Osirium’s seminar, delivered by CTO Andy Harris, on Privileged Access Control & Task Automation 13:00-13:30 Thurs 26th in the Cyber Threat Protection room.