Boosting secure access for the UK’s national health service
The UK’s National Health Service is under huge pressure to overhaul its cybersecurity practices.
Following the fallout of last year’s global WannaCry ransomware attacks, the UK’s National Health Service (NHS) is under huge pressure to overhaul its cyber security practices. The National Audit Office (NAO) said ‘basic IT security’ could have prevented the WannaCry attack. Yet, the lack of privileged access controls remains an ongoing risk.
According to Gartner, the improper governance of privileged access management (PAM) will be the major cause of approximately 60% of data breach incidents by 2018, compared to 40% in 2015. The average NHS Trust works with hundreds of third parties to maintain its key systems, requiring access to do so.
Last year, the long standing N3 network was replaced by the Health and Social Care Network (HSCN). It brings together NHS and government organisations, such as police forces and social services, under one private network. Designed to be more cost-effective and flexible, there are concerns about the larger network increasing security risks.
How can you monitor and manage what you don’t have the tools to control?
NHS Trusts need visibility into every aspect of their own network. For Adrian Laning, networking infrastructure manager at the Lewisham and Greenwich NHS Trust, this was his priority over the last year. The Trust providers NHS services to catchment area of approximately 220,000 people and patient care is at the heart of everything their staff do. Over 7,000 staff are employed (including part-timers), handling almost 5,000 PCs or laptops.
“We have a strong solution in place for ensuring the devices used by staff are secured end-to-end. Our biggest concern was securing third party access to our network. We didn’t have the tools to track their activity during sessions, which could have left us exposed to major security risks,” Laning recalls, “Limiting their access was not an option; suppliers are integral to the operations of our Trust.”
Although systems such as the pathology and radiology systems are run by the Trust, they are maintained by suppliers. In fact, this is the case for all main systems. Without restricting access, there are huge implications to network safety if a supplier’s device or account is compromised. They could make their way into the Trust’s network undetected. Whether they intend to steal sensitive patient information or disrupt services, Laning and his team needed to prevent this ever happening.
Extending control over privileged users end-to-end
Reducing the risks of third-party access is about visibility and control, not restriction. Centralising the administration and control of server access, while automating password management, is one of the ways CA Privileged Access Manager makes this possible. It also provides proof of effective controls to meet compliance standards. The EU General Data Protection Regulation (GDPR) stipulates that identity and access management (IAM) must be in place to protect critical systems. Visibility offers speed, supporting compliance with the regulation’s 72-hour breach reporting window.
“We now have an audit trail of activity for each user. If something goes wrong with our critical systems, we can search this trail for signs of suspicious activity and understand what caused the issue,” Laning adds, “By seeing everything that is happening in the network, we can increase uptime reliability and maintain data security and protection.”
A comprehensive platform for Privileged Access Management
Privileged accounts are not only made up of employees with direct responsibility for system and network administration, they include contractors and suppliers who have been granted privileged access to systems within the organisation. In many cases, privileged accounts aren’t even people – they can be applications or configuration files empowered by hard-coded administrative credentials.
If these credentials are compromised, they allow movement within a network completely unnoticed. The hacker could wait months, even years, before attacking the system. In a 2016 Verizon study of 905 phishing attacks, the clear majority – 91 percent – were after user credentials. Local credentials are now protected through the PAM solution, eliminating the risks of weak passwords and the chance of them getting into the wrong hands.
With PAM in place, what’s next for the Trust? The pressures of rising patient numbers and tightening budgets will continue to build for most NHS organisations. WannaCry was a reminder that digital infrastructure continues to play a crucial role in the successful delivery of patient care. By protecting and securing his Trust’s digital operations, the process of working with suppliers is smoother and patient’s data is protected. That is the peace of mind Laning’s team will continue to work towards.