As director of the NHS Threat Assessment Centre, ESET's senior research fellow gained an understanding of the security demands of one of our greatest institutions. He's not sure current solutions are fit for purpose, he tells Dan Raywood.
This year has seen a significant number of news headlines regarding the NHS and information security.
In May, the Information Commissioner's Office (ICO) revealed that of the 1,007 data losses reported to it since 2007, almost a third – 305 – had been the responsibility of the NHS. Before and since then, there has been a steady stream of negative stories about data loss and the problems workers face when security is not the first consideration.
In conversation with SC, David Harley, senior research fellow at global security firm ESET, got on to a key point: the continued use of Internet Explorer 6. Discussing this and the use of legacy software, Harley said he got his first XP machine on joining the NHS in 2001.
Harley worked for the NHS until 2006, as one of the infrastructure security management team and, more specifically, manager of the NHS Threat Assessment Centre. “Basically, I put up alerts and advisories, FAQs etc and I was also the guru-in-residence for AV and anti-spam on the national mail services. However, the actual services were outsourced.
“Most of the NHS Threat Assessment Centre work consisted of putting up information and advice on upcoming and current threats on the web page. It is difficult to say how many NHS end-sites (PCTs, surgeries and such) were actually monitoring those briefings, unless there was something very specific with which they were having particular problems, or was generating a lot of interest from the media and/or their users.
“That happened often with the big mass mailers in the first few years and I spent a lot of time on the phone to end-sites, trying to help them clean systems to which I had no direct access.
“When I joined the NHS Information Authority in 2001, the mail services had no centralised AV and there was virtually no filtering, apart from what had been put in place by end-sites. Inevitably, given my background in AV research, I got involved first with setting up generic filtering centrally, then with procurement for a centralised AV scanner.
“The actual service was outsourced, but I was co-opted into selection of a service and consultation on the implementation. Then I interfaced between the provider, the authority and the wider NHS community. The provider used to send reports on what malware it was detecting, and I used to channel information to it on upcoming threats and ways I thought the service would be more effective.”
With this background in such a sensitive sector, how would he have coped in today's market? “The National Programme for IT pretty much kicked in while I was there and there was a major shift away from central services towards getting people to share information and cooperate, while moving responsibility for most security countermeasures right back to the end-site,” he said.
“The Threat Assessment Centre went, after the NHS Information Authority's activities were transferred (mostly) to NHS Connecting for Health and CFH moved instead to a WARP (warning, advice and reporting point) model. WARPs are like computer emergency response teams (CERTs), but less formal, often run by volunteers. The idea was that there would be cooperation between end-sites using forums moderated by Connecting for Health on a platform provided centrally.
“Security at the endpoint was largely the responsibility of the individual site, while the security-focused bits of National Programme concentrated on what was seen as the important national stuff, such as encrypted national services. I wouldn't like to guess at how effective that has been in practice, as the nitty-gritty detail isn't generally available on sites accessible by the public. National Programme has restricted itself to what it calls information governance, so IG officers on NHS end-sites have found themselves carrying not only that load, but other security issues that National Programme tried to stay hands-off from.
“I have no insight into what will happen with the scrapping of National Programme. With the Conservatives' dislike of centralisation and the emphasis on even more drastic cost-cutting, I cannot see the end-sites gaining in terms of security. They will be thrown back even more on to their own resources.
“While the core network and centralised services are the responsibility (even where services are outsourced) of CFH and the Department of Health, responsibility behind the end-site's gateway is purely local. Which is fine conceptually, but for a long time there was a very different ‘Fortress NHS' model in place, where even if there weren't central countermeasures in place, there was at least guidance. Security management is, largely, expectation management; but working in the public sector confounds expectations, because goalposts are so often set (and moved) in response to political pressures.”
I asked him what he meant by ‘expectations': of the public looking from outside or of staff within? He said: “Well, both: expectations from the public and the view from within are very different. The popular view of the NHS is of one big amorphous mass consisting largely of doctors and nurses. Whereas in fact, it's an umbrella organisation including thousands of semi-autonomous units with medical staff supported internally and externally by other specialists in logistics, administration and so on.
“They think if you eliminate expensive management, then everything will continue to happen, without spending money on those expensive people. I cannot say that there are no overpaid people, no unnecessary services, or no unnecessarily duplicated roles, but I can't say that of the private sector either.
“An entire generation of security managers left in 2006, at a time when I was being told that Connecting for Health was very clear that the NHS should not be managing its own security.”
I asked if, to the best of his knowledge, the NHS continues to be outsourced. “The NHS is essentially part of the government and central government is always happy to outsource. While end-sites may feel pressured into outsourcing, the real pressure on them comes from the need to meet the terms of whatever codes of connection are currently in place, while meeting government-imposed financial and performance targets,” he said.
“The last year or so I was there, I saw a great deal of mismatch between the expectations of the NHS and that of its providers. It's not a bad thing in principle to be ‘risk-averse', but there is a difference between outsourcing a service and disclaiming responsibility for it. Service providers are not altruists. They won't provide more service than they believe they signed up for, merely because the customer was expecting more. They will certainly expect to renegotiate a contract for offering extra levels of service, and they won't accept responsibility for NHS infrastructural problems that are not in their remit.
“And that will never work, because companies which do major outsourcing projects are wise to that one and will not sign up for something that will leave them with a form of responsibility.
“The NHS information authority, when I was there, employed people whose core jobs were to negotiate and implement contracts, or to manage the provision of contracted services – good luck to them, it's not an area I wanted to get into!”
Harley said there was a “whole bunch of NHS-specific legal requirements, apart from the obvious data protection legislation”, when it came to the requirements for the protection of sensitive medical data. He said he felt fortunate not to have to work within that complex framework any more, and to be in a position to focus on his own specialties rather than trying to be all things to all ‘customers'.
“It is bad enough conforming to the range of legislation that the average business has to contend with these days, especially when it works across international boundaries,” he said.
The division of the NHS into the trusts has undoubtedly caused some revaluation of IT practice and policy, from the basic provisions to storage and hosting, and on to the more specific security needs.
It could be argued that with the negative headlines over the past 12 months, the changeover from Harley's time to the current setup has been a challenging one. Either way, there is no such thing as an easy migration.