Editorial

How the NHS can reduce the risk from the endless loop of supply chain attacks

It’s fair to say that no one has probably felt the full force of cyberattacks in 2024 more than the NHS – from the attack in May against NHS Scotland to June’s breach against hospitals in London. Both incidents were the result of attacks on third party providers, and unfortunately, this is a common trend seen in breaches against the UK government. Trevor Dearing, director of critical infrastructure at Illumio, explains why a step change in cybersecurity is needed to strengthen supply chain security.

Posted 18 November 2024 by Christine Horton


What challenges does the NHS face when it comes to cyber resilience?

The NHS’ dependency on external suppliers means that the security measures of third parties directly affect its overall security posture. When looking to impact major organisations, cybercriminals look for any weakness within the supply chain. This means that a business is only as secure as its weakest third-party supplier.

For example, the attack on Synnovis’ IT systems, forced the NHS to revert to manual processes, caused the cancellation of thousands of appointments and led to patient data being leaked onto the dark web. Worse, this incident is not isolated; nearly 63 percent of healthcare organisations experienced such attacks in 2023. This is a systemic issue that both the NHS and its third parties must collectively address.

The reaction to the Synnovis attack also highlighted the importance of having strong incident response plans. The 2017 Wannacry attack exposed similar risks, and it’s evident that the sector hasn’t fully learned from past incidents. The recurring nature of these attacks emphasises the urgent need for the NHS to enforce strict cybersecurity measures across its entire supply chain.

How is legacy IT infrastructure further increasing risk?

Legacy tech is a large part of the overall cybersecurity concern in the NHS. According to last year’s reports, 77 percent of the UK’s healthcare sector still uses old and outdated systems.

Legacy systems often lack the latest security features and updates, making them easy targets for cybercriminals. Older systems can be harder to patch and update, particularly specialist medical technology that is unlikely to have been designed with security in mind.

In many cases, organisations continue using these systems because upgrading them is costly and complex. Modernising these systems is essential to bolster security, improve resilience against attacks, and ensure the latest protections can be effectively implemented.

What should the NHS be doing to address such problems?

Third-party providers form the lifeblood of the NHS and need to be constantly reviewed to ensure they are meeting the required security standards. We must accept that attacks are inevitable and that harnessing vulnerabilities in the supply chain is a growing trend.

Regular security audits and simulations are also critical in helping NHS Trusts quickly identify and respond to threats. An FOI request in July 2023 showed that more than a quarter of NHS Trusts failed to test third-party suppliers’ cybersecurity measures in the past 12 months. This suggests that Trusts are still placing too much implicit trust in suppliers to safeguard data, systems, and operations.

The problem is the NHS supply chain is so large and varied that trying to secure all suppliers is a mammoth task. To address this the NHS must transition away from solely focusing on prevention and detection to adopting a breach containment strategy.

By embracing breach containment, the NHS can isolate infected systems, limit lateral movement, and mitigate the disruption to critical services and protect patient welfare.

The UK government is already taking several commendable proactive actions to strengthen resilience in our public services. The Cyber Security and Resilience Bill will expand regulations to cover more digital services and supply chains, empower regulators to enforce cybersecurity measures, and mandate increased incident reporting. However, the NHS must be equipped with additional budget and financial resources to comply with these new regulations.

Overall, the key focus for the NHS must be to achieve effective cyber resilience. And one of the best security models for achieving this is Zero Trust – a globally validated strategy.

Why should the NHS implement a Zero Trust approach?

Adopting a Zero Trust strategy will significantly enhance the cyber resilience of the NHS, particularly in the context of supply chain security. Zero Trust operates on the principle of “never trust, always verify,” meaning every access request is scrutinised, regardless of its origin.

With a Zero Trust approach, even if an attacker breaches a supplier’s network, they would be contained, preventing them from moving freely within the NHS’s systems. This containment strategy is crucial for protecting patient information and ensuring that disruptions like those experienced in recent incidents are minimised. A critical factor in achieving this is having the ability to segment its network.

Network segmentation divides the network into isolated environments to contain potential breaches and limit the movement of attackers. By breaking the network into smaller, manageable segments, any intrusion can be quickly identified and contained, mitigating the impact of a breach.

Zero Trust also mandates continuous monitoring and verification of every user and device. This ongoing vigilance helps in quickly detecting and addressing suspicious activities, which is essential for the uninterrupted delivery of critical healthcare services. By constantly validating access requests, the NHS can better prevent breaches and respond more effectively when threats are detected.

Besides these benefits, a Zero Trust framework supports the requirements of a modern, dynamic workforce. The NHS increasingly relies on digital technologies and remote access, so it’s essential that only authorised personnel can access specific systems and data.

By adopting a Zero Trust approach, with segmentation at its core, the NHS can safeguard the operations of its five diagnostic pillars and deliver a simpler and more robust security outcome in the face of an attack either directly or via a third party.

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now