SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
NHS signs £150m cybersecurity deal with Microsoft – but is it enough?
Thu, 3rd May 2018
FYI, this story is more than a year old

​News has emerged of NHS finally bolstering its defences in light of the ‘growing threat' of cyberattacks.

NHS has signed a deal with Microsoft worth £150 million to upgrade its security systems.

This comes almost a year after the fiasco caused by the WannaCry virus where at least 80 health trusts and 603 NHS organisations and GP practices were disrupted by the global ransomware attack, causing the cancellation of around 20,000 hospital appointments and operations with ambulances being diverted from some A-Es.

Since 2017 the government says it has invested £60 million to address these issues, so the additional £150 million to be spent over three years will be a big boost.

Health and Social Care secretary Jeremy Hunt says the investment will enhance security intelligence to give individual trusts the ability to detect threats, isolate infected machines and kill malicious processes before they can spread.

“We know cyber attacks are a growing threat, so it is vital our health and care organisations have secure systems which patients trust,” says Hunt.

“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat. This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.

However, Skybox Security director Peter Batchelor argues the problem can't just be fixed by throwing money at it. The first step, Batchelor says, should start from a goal of assuring availability of uninterrupted medical services, and cybersecurity is critical for ensuring this continuity.

“Cybersecurity for cybersecurity's sake, including an obsession with metrics of malware blocked, isn't appropriate when what's of prime importance to the NHS is that patient services will not be interrupted by another cyberattack,” Batchelor says.

“Visibility of threats and vulnerabilities is key but not if it simply hands a small and overstretched team of NHS IT specialists an even longer to do list. They are desperate for practical support that tells them what the priorities are to work on immediately and automates much of the workload of closing down vulnerabilities effectively.

Batchelor says despite the widespread criticism, NHS Digital and other stakeholders are all working incredibly hard to make NHS more secure for all of the United Kingdom.

“Their prime concern is delivering excellent medical services and outcomes for patients. Cybersecurity must serve this end but must not get in the way,” says Batchelor.

“Letting teams see and assess the risks and security priorities clearly, being able to run attack simulation on a daily/weekly basis and at the touch of a button without interrupting medical care or placing additional burden on the limited NHS IT resources, is what the NHS requires and, in our experience, is already working towards.