Security in the Cloud for the NHS

Security in the Cloud for the NHS – Current NHS cyber threat landscape

Welcome to the first blog of a new Microsoft UK Health series “Security in the Cloud for the NHS”. We understand you’re hearing a lot of things that make you nervous about moving to the cloud and meeting compliance standards. The UK healthcare industry has been victim of some incidents of ransomware that have threatened hospital operations and the ability to provide timely care. According to Gartner, security concerns are still the biggest reason organisations avoid the public cloud. They hear about stolen patient records, breaches in security, and ransomware.

With this blog series, we want to raise awareness on the current security landscape and regulatory framework as well as explain our “protect, detect, and respond” approach to security threats. This is an industry-standard mind-set, and the one we use to manage our platform operations and we recommend this approach to our customers.

Microsoft's security posture

A lot of technology to protect information is readily available. Usually these protection mechanisms protect endpoints like devices or applications. But here’s the problem: most companies have already been breached—they just may not know it yet. Hackers can sit inside a company’s network for 200 days or more before anyone notices. Protection needs to be stronger across all devices and endpoints. You need stronger doors and stronger locks to keep the bad guys from getting in.

That said, even with protection, the bad guys can still get in. Then what? You need a way to detect intrusions. This is similar to putting up cameras to spot criminals breaking into your house. Detection, however, requires sophisticated resources—not just tools, but access to millions of signals plus the advanced algorithms and computing power to monitor them, interpret them, aggregate them, and report them as attacks are happening. Microsoft has machine learning capabilities built from our considerable expertise, experience, and research investments.

Finally, once an attack has been detected, you need the ability to respond very quickly, ideally in an automated way, to control the damage. For example, automatically recognising “impossible travel”—logging in from Stoke and then logging in from China an hour later—and requiring a second authentication attempt, with Multifactor Authentication enabled, before allowing access. Or, pushing a required update to users of your application after identifying a potential exploit during an internal penetration test.

Current UK cyber threat landscape

Figures from Get Safe Online reveal that a staggering £10.9 billion was lost to the UK economy as a result of fraud, including cybercrime, in 2015/16.

In last for years, the rate of NHS cyber-attacks quadrupled. The Freedom of Information (FoI) investigation examined spending, defences and the manner of attacks and despite the increase in cyber-crime, the report uncovered that overall spending on cyber-security across the 75 trusts and foundation trusts providing this data had remained at around £18m since 2013.  Meanwhile, cyber-attacks, such as ransomware, had increased from 1,565 reported cases in 2013/14 to 7,178 in the last financial year. Unsuccessful attempts, including hundreds of thousands phishing attempts, were not included.

The Information Commission Office (ICO) “Data Security Incident Trends” shows that the UK Health Sector is accountable for the most data security incidents. A particular risk factor for incidents within this category is the use of “autocomplete” rather than typing in an individual’s full name into the “to” field. Often, the sender of the email will not realise their error until alerted to it by the recipient. Microsoft secure posture can help reduce the impact of these accidents.

Our commitment to trusted cloud

When it comes to customers feeling secure about the cloud, trust must be earned. Microsoft has made a deep commitment to trust that can be summarised on these 4 points:

  1. The first trusted cloud principle is Security. Microsoft cloud services are designed, developed, and operated to help ensure that confidentiality, integrity, and availability of your data is completely secured.
  2. Next is Privacy. We believe that you own your data. You should be able to keep your data. Your data is not ours to be used. We want to provide all of our services while keeping your data private to you.
  3. We strive for Transparency. We want you to understand how we are running the services and how, and where, your code and data is used and stored. We want to ensure that we are as transparent as possible with all of that information.
  4. We also focus on Compliance. We work with regulators to make sure that we are in compliance with regulations such as GDPR.

At Microsoft, we are committed at empowering every individual and organisation in the world to achieve more. Working with organisations that span all the sub-verticals in health, Microsoft have made a deep commitment in earning your trust as an advisor in the healthcare industry.

This is why we are working with our partners and with Intel to conduct a Healthcare Security Readiness Programme to help your Trust to understand where it stands in terms of maturity, priorities and breach security capabilities, compared to the Healthcare industry across eight types of breaches and 42 security capabilities.

The Report

Together with Intel and our Partners, we are running a global program offering a complimentary and confidential Healthcare Security Readiness Programme.

These engagements involve one-hour meeting (face to face or over Skype for Business) in which you will receive a complementary and confidential report that shows how your organisation’s security compares with the broader healthcare industry. The readiness programme can be tracked to key regulations and standards, enabling participants to see how to address any gaps to help with compliance.

Some interesting trends have started to emerge 19 organisations that have already conducted the programme in the UK:

  • The UK healthcare organisations outperformed Global ones in capabilities such as User Awareness Training or Endpoint Device Encryption. However, they are lacking behind in Security Information & Events Management and Threat Intel The least mature capabilities overall in UK Health organisations are Network Data Loss Prevention (Prevention Mode) and Server Solid State Drive (Encrypted), with respectively only 6% and 9% of organisations have it.
  • When it comes to organisational priorities, 82% of respondents listed Cybercrime Hacking as a high priority, followed by Ransomware (75%) and Insider Accidents or Workarounds (63%) as medium/high priorities. The data rich report shows how your security capabilities compare to global and UK healthcare’s.

This information suggests that there is a lot that can be made to protect, detect and prevent attacks. An example report is available for your preview.

If you want to have more information on how to conduct the programme, get in touch with us and one of our representatives will respond your queries.

View the Health and Life Sciences Breach Security Assessment Report

Get in touch with Microsoft to understand more on how to find out where your organisation stands in terms of maturity, priorities, and breach security capabilities, compared to the rest of the industry.

Email: UKsecuritybreachasse@microsoft.com