Earlier this year, the UK Secretary of State for Health and Social Care Jeremy Hunt signed off on the first official guidance specifically designed to help the UK’s National Health Service make the move to cloud.
Although some parts of the NHS already made use of cloud technologies, this marked the dawn of a new digital era for many working within the sector: one in which the widespread adoption of public cloud services and platforms like Microsoft Office 365 are encouraged and the benefits can become a reality. Benefits which might help to relieve some of the strains currently facing our overstretched healthcare services.
There’s no denying that the benefits of migrating some data from on-site systems to cloud environments could be colossal. This is now being widely recognized, with a recent report from Digital Health Intelligence revealing that 39% of organizations currently not using any cloud technologies plan on introducing some element of cloud-based infrastructure within the next two years.
But, these organizations will only be able to reap the benefits if their new cloud environments are protected. After all- as last year’s notorious WannaCry disaster proved- no one is immune to cyber-attack. Not even the NHS.
Everyone is a target
Nowadays, anyone can be hit with ransomware, and this is what makes hospitals and healthcare providers very attractive targets. The NHS’s most valuable digital asset - confidential patient information - has become 100 times more valuable than stolen credit card details and when faced with losing it, IT teams often don’t have a choice.
Despite common fears, keeping data in the cloud is just as secure as storing it on-premise: as long as you have a suitable security strategy and invest in the correct technologies. Mistakes generally come down to a lack of knowledge. It’s all about getting to know your new environment and understanding how to protect it. NHS organizations should spend time learning about the cloud platform they’re going to migrate to and reading up on the platform’s shared responsibility model, as it is important to understand who’s expected to protect what.
Making the cloud safe
The fact is that a truly secure medical network infrastructure will probably contain more firewalls than patients, but most traditional firewalls are not cloud ready. Simply lifting and shifting traditional solutions and processes doesn’t work, because some are not engineered with the cloud’s elasticity, scalability and the consumption model that organizations need to defend against cyber-attacks today.
In fact, our recent research discovered that 95% of organizations believe cloud-specific capabilities within a firewall would be beneficial. Therefore, NHS organizations looking to make the most of cloud may need to think about refreshing their security stack and deploying a cloud generation firewall that can help users leverage cloud native management and monitoring tools.
The major difference when deploying a firewall in the cloud generally comes down to having the right tool set. Any security controls need to both cover and leverage the agility and elasticity of cloud infrastructure in order to make sure that all of the confidential and sensitive patient data applications and workloads across your network are protected- no matter where they reside.
Education, education, education
Effective security is not just about stocking up on solutions and tools. Instead, it’s a combination of technology, people and culture. NHS organizations can block out some threats with a cloud-ready, up to date protection system but it is just as important to implement some sort of user awareness program and training.
As well as providing user awareness courses and materials, organizations can also look to invest in phishing simulation tools. In fact, there are some examples of health and social organizations already implementing these in order to find out which staff members might be a risk to their digital security.
Last year, one of the biggest NHS trusts in the UK (Leeds Teaching Hospitals NHS Trust) sent out a fake phishing email to its 17,000 staff. The audit committee reported that 400 employees responded to the email and revealed confidential information like passwords or network credentials: 2.3% of your total workforce might not initially seem that high, but when it comes to a phishing attack all it takes is one click and your whole network can be brought down.
Although this was a trial run, real attacks like this- that come via email and have the potential to severely disrupt day to day operations- are becoming ever more common and costly, with 73% of organizations agreeing that their frequency is increasing. So, user education has never been more important.
In essence, your employees are your last line of defense, especially when it comes to social engineering attacks, so educating about potential threats and retraining around cloud environments will be essential.
Cloud is a whole new world for many organizations within our National Health Service and its benefits could be endless. But, before organizations can reap the rewards, they must embrace a new way of thinking. For those planning on making the move to cloud, security needs to be priority number one.