NHS Trust IT head: ‘Our attack surface was much bigger than we thought’
‘We found an extra 5,000-10,000 devices that we knew nothing about’, said deputy director of ICT at The Princess Alexandra Hospital NHS Trust
Among the many unexpected items discovered to be connecting to The Princess Alexandra Hospital NHS Trust’s (PAHT) networks were PlayStations, coffee machines and passing electric vehicles.
“We found an extra five to ten thousand devices that we knew nothing about”, said deputy director of ICT Jeffery Wood. “Our attack surface was much bigger than we thought.”
This disturbing discovery came about during a proof of concept (POC) trial of Armis’s cyber exposure platform, undertaken as part of an infrastructure modernisation programme.
PAHT is a small-to-medium-sized Trust in Harlow, Essex. Its earmarked for a hospital rebuild in 2032. Due to its size and the demographic makeup of the area it serves, the Trust is well suited to trialling new technology that might later be rolled out across the NHS, according to Wood. These include a multilingual holographic receptionist, Amazon-style lockers for use by consultants, cloud-based telephony, and new medical devices. Electronic patient records are being rolled out at PAHT too.
But each new device represents a potential entry opportunity for a hacker, adding to the security burden represented by hundreds of applications, numerous legacy medical devices running ancient firmware, obscure building management systems and cloud-based software.
Wood’s team was looking for visibility across the entire connected system, together with real-time dashboards configurable to meet the needs of different management groups within the Trust, and more intelligent alerts, as well as automated mitigation, hence the Armis trial. “We need to understand the threats we’re seeing,” he said, adding that the POC had reduced the time processing security alerts from 45 minutes to 10.
Understanding and mitigating cyber threats is not just a security issue, he told Computing, it allows for more flexible working practices, too. Apple devices favoured by Marketing and Comms were previously banned, but now staff are free to use them thanks to network segmentation. By the same token contractors can use their own devices, even if they are not fully patched to the same standards. “It saves us having to buy a new laptop and give it to a contractor who's only there for six months,” Wood explained.
Nevertheless, zero trust networking remains an ideal rather than a practical reality within the NHS. The Trust is implementing MFA where it can, but the multi-vendor landscape makes full integration a challenge. “We're always locked down really tight, but when you're working with a hosted organisation it depends what their requirements are and how they integrate with things. Single sign-on is quite difficult within hospital scenarios as well.”
‘It scared the life out of me that we didn't have a separate cybersecurity team’
The Trust does not employ a dedicated cyber team, relying instead on its infrastructure team ‘shifting left’, aided by increasingly automated security tools. This setup was quite a shock to Wood, who came from a background in local authorities and the private sector.
“When I first came here, it scared the life out of me that we didn't have a separate cybersecurity team,” he said. “But everything we do in infrastructure now has cybersecurity built into it, because cybersecurity is that infrastructure team, and they’re all trained in CISSP and CompTIA. You’re not going off and asking another team to review it. it's quite alien to a lot of people, but I'm fully on board with that now.”
The team is supported by vendors in a partnership relationship, which is relatively unusual in the NHS, according to Wood. The traditional “supplier-customer based way of working” can create silos and make information sharing across the wider service more difficult, he said. A partnership approach, on the other hand, makes it easier to share successful POCs between trusts, such as the Armis one. “Ultimately, my view is that the NHS is one team,” Wood stated.
‘This isn't just cyber risk. This is risk’
Inevitably, with a small team responsible for managing a complex environment, there’s a heavy reliance on automation to take the strain. There's the Armis platform, then there are email gateways and XDR tools to mitigate the ever-present danger of phishing attacks, malware and data leaks. The NHS, sadly, is a popular target for cybercriminals, and Wood sees AI as vital in the ceaseless battle against threat actors, which only ever ratchets one way.
“AI has helped in a lot of ways. It's allowed more things to be done behind the scenes,” he said.
But technology only one part of the defensive strategy, and Wood’s team runs regular phishing awareness courses, simulations and cybersecurity tests, including, a few years ago, the classic “USB drives in the car park” test, which saw 5% picked up and plugged into devices.
“Nowadays, you can just block a USB device,” Wood noted. “As things evolve, we get better; but as we evolve so do the attackers. You're constantly looking out for different things that are coming in, and we don't have the time or the scale, so we rely on people like Armis to help.”
As recent events in London, Merseyside and Bristol have demonstrated, minimising the attack surface of the health service really can be a matter of life and death.
“This isn't just cyber risk,” said Wood. “This is risk. Anything that attacks us could cause our patients harm.”