The NHS appoints IBM in a three-year strategic partnership

The UK’s National Health Service (NHS) has appointed IBM in a new three-year strategic partnership to strengthen and improve present services.

With the increasing number of cyber-security threats, IBM will provide sophisticated data security technologies and additional defence tools. It will also be in alignment with the NHS Digital’s existing Cyber Security Operations Centre (CSOC) and bolster its capability to monitor, detect and respond to a multitude of security risks.

Such services will include:

• Vulnerability scanning and malware analysis, allowing NHS Digital to offer tailored and specialist advice to individual NHS organisations
• Enhancement of NHS Digital’s current monitoring capability enabling the analyses of data from multiple sources to detect threats across NHS Digital’s national systems and services
• Access to IBM’s X-Force repository of threat intelligence to provide insight, guidance, and advice so health and care organisations can take appropriate action to prepare for, or mitigate against, identified risks and threats.
• Security monitoring pilots across selected NHS organisations, to test a range of security technologies and identify appropriate solutions that could be rolled out across the NHS estate
• An innovation service which will allow NHS Digital to quickly access new tools technologies and expertise to address new threats as they emerge and to allow it to adapt services to meet the changing needs of the health and care sector.

 “This partnership will build on our existing ability to proactively monitor for security threats, risks, and emerging vulnerabilities, while supporting the development of new services for the future and enabling us to better support the existing needs of local organisations. This will ensure that we can evolve our security capability in line with the evolving cyber threat landscape,” explained Dan Taylor, Programme Director, Data Security Centre at NHS Digital.

“This partnership will strengthen how we help to keep patient information and services safe and secure, enabling NHS staff and patients to have confidence in the security of our system.”

It follows on from the WannaCry attack in 2017, which revealed the urgent need for the NHS to upgrade its outdated IT infrastructure and strengthen its data security capabilities.

“The NHS faces data protection challenges which are not only presented by the transition from paper to electronic, but also by the rapid pace of the technological changes available to it.  Some technical examples are incorporating virtualisation and cloud computing,” explained Graeme Stewart, Director of Public Sector UK&I at Fortinet 

“A medical record is worth 10 times a credit card number on the black market, making them very valuable targets. It’s no wonder that 34.4% of all breaches worldwide are hitting the healthcare industry. From digitising patient records to medical devices and wearables, all these are expanding the attack surface.”

See also

• GDPR - Is healthcare ready?
• Building trust in healthcare, AI and automated decision-making
• Microsoft brings two significant players on board to further transform healthcare

 “The diverse nature of healthcare enables different devices to access the Internet (even though they are not designed for this) making them easy targets; with many outdated applications and systems that don’t include security as a priority.”

Impacting up to a thousand health facilities and leading to the cancellation of 20,000 hospital appointments and operations, the service has now signed a deal with Microsoft regarding its Windows XP systems, which was not renewed in 2010, to ensure its security features remain robust. The partnership with IBM will therefore support this and enable the NHS to undertake a number of pilots in the process.

“The NHS is relying on legacy systems, so they are completely underequipped for a cyberattack,” notes Simon Townsend, CTO, EMEA at Ivanti.

“The post-breach reporting process requires organisations to demonstrate how they were prepared for a data breach, but then why the attack got in anyway; they also need to communicate with all customers (or patients) effected, articulating a remediation plan; they need to run through their remediation plan, fix the breach and lock down all leaked data; and they also need to provide an in-depth report to the relevant “supervisory authority” of their EU member state.

“All in 72 hours. This simply isn’t possible if, as in the case of some trusts, you’re relying on an operating system that hasn’t seen a release for sixteen years,” he says candidly.

“WannaCry was so damaging as some trusts were using unpatched Windows 7 systems and some were using completely unsupported Windows XP systems.

“In 2004, the Office for Government Commerce signed a deal with Microsoft to provide all desktop software within the NHS – from operating systems to Office programmes. The NHS had the latest of everything and were kept secure and patched up with help from Microsoft. Then, in 2010, around the time that the austerity period began, the government scrapped the agreement. The NHS had been using £270mn worth of Microsoft software for less than £65mn a year, so were unable to cope, and individual trusts were effectively left to fend for themselves,” he continues.

“Post WannaCry, the NHS did sign a new agreement, specifically for cybersecurity, with Microsoft – the custom support agreement and Enterprise Threat Detection Service (ETDS) provided the NHS with patches and updates for all existing Windows devices operating as XP, Windows Server 2003 and SQL 2005.”

“However, in January of this year, it was exposed that only 2% of the NHS had actually deployed the ETDS.