Experts react with concern to news of £20m investment in elite team of NHS 'ethical hackers'

Central cyber security unit will monitor web to prevent repeat of Wannacry scandal, but experts warn of a lack of skills and technology

The WannaCry incident highlighted flaws with IT security within the health sector

A lack of qualified, experienced IT professionals and old, outdated and missing technology is threatening the NHS’s efforts to prevent a repeat of the crippling Wannacry cyber attack, experts are warning.

The partnership will provide access to extra specialist resources during peak periods and enable the team to pro-actively monitor the web for security threats and emerging vulnerabilities

Concerns were voiced after The Times newspaper reported last week that the Government has put £20m aside to set up a central cyber security unit that will use ‘ethical hackers’ to probe for any weaknesses in health service cyber defences moving forward.

The hotshot team will monitor the internet for emerging threats and will help to beef up data security to help hospitals in danger of attacks.

NHS Digital is tendering the contract as part of a big increase in public-sector spending on digital defences.

Quoting a source from the agency, The Times reports: “The partnership will provide access to extra specialist resources during peak periods and enable the team to pro-actively monitor the web for security threats and emerging vulnerabilities.

“It will also allow us to improve our capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating known threats.”

But, despite welcoming the increased investment, IT experts warn that, on its own, the team, and the extra funding, will not address the underlying problems.

Speaking to BBH, Matt Lock, director of sales engineers at Varonis, said: “The announcement is a necessary and commendable next step, but given the impact of the WannaCry attack, one must also ask why it has taken them so long to create this.

Having great human cyber security talent solves only part of the problem, and current and future NHS cybersecurity teams need to have better tools to reduce the risks of cyber incidents much more effectively

“The new centre must be a part of an ongoing effort to keep up with the latest attacks from extremely well-funded and experienced criminals intent on compromising the NHS system.”

And he added that a lack of skilled personnel was causing real problems across the NHS and wider public sector.

“The NHS must be able to attract and retain top talent, which is often a challenge,” he said.

“This team is an important piece of the overall security posture for large organisations, but continuous improvement and advancements are also critical parts of the equation.”

Greg Day, vice president and chief security officer for EMEA at Palo Alto Networks, who sits on the UK National Crime Agency steering committee and the UK-CERT-CISP advisory team, added: “Finding exceptional cyber security skills to prevent attacks is a laudable aim of NHS Digital.

“Designating a ‘Red’ team will mean weak spots could be hunted down faster, but opportunities for live cyber security skills training of current teams on a cyber range-type test environment should also be considered more fully.

“Like firefighters, you only become better at fighting fires like WannaCry by training on realistically-simulated incidents. However, detecting issues is only of value when you can action them quickly and effectively, which requires considerable resources especially for such a large and complex organisation like the NHS.

“Having great human cyber security talent solves only part of the problem, and current and future NHS cyber security teams need to have better tools to reduce the risks of cyber incidents much more effectively.

It's important that the NHS creates a strong prevention culture that pervades the whole organisation rather than simply relying on an elite group of cyber security fighters

“Cyber security leaders and their teams within NHS organisations need to be supported by much more-automated and more-efficient cyber security solutions focused on prevention and aggressively reducing risks. This is all the more important for how the digital transformation of the NHS will depend on how successfully the NHS protects the legacy systems still being used to support patient care.

“It's also important that the NHS creates a strong prevention culture that pervades the whole organisation rather than simply relying on an elite group of cyber security fighters.

“This is acknowledged by today’s NHS cyber security professionals who strongly advocate more cyber security awareness training for everyone, but admit that few clinical and administrative staff actually receive the training they need to protect themselves and their patients.”

Companies