NHS Digital's cyber security wing CSOC has announced a partnership with IBM as part of a £30 million deal to bolster threat intelligence, a year after the WannaCry ransomware outbreak hobbled some systems within the NHS.
However, the head of operations for CSOC, Chris Flynn, says that bringing the vendor on board is more about continuously improving the NHS's data security capabilities than directly avoiding that sort of incident again.
The three-year partnership will see IBM bring its technical expertise in to CSOC to improve threat monitoring, detection and response capabilities, as well as providing access to IBM's X-Force threat intelligence unit.
This story behind the partnership is a slightly long one: in 2015 the NHS established CareCert to centrally manage threats and large scale incidents, plus monitoring for NHS Digital. That was created with BT, and when that contract came to an end NHS Digital began procurement activity for what was “essentially a continuation, plus new capability” in December 2017.
According to Flynn, the general standard of the companies pitching for tender was “really, really strong”. Despite this strong competition, IBM was “top of the pile” thanks to a combination of technical expertise, quality and long-term value.
Despite the timing, Flynn says that the partnership was not about WannaCry. “We were doing this before WannaCry,” he says. “If we weren't doing this before WannaCry then our response would have been very different, because we wouldn't have been so well informed. We were able to monitor network traffic before WannaCry, and we were able to proactively identify the potential for threats.”
It is, instead, a “natural evolution” of the CSOC's capabilities. “We learned a lot in the past 14 months, but we learned a lot in the 15 months before WannaCry. Increasing capability and capacity is something that we need to continue to do on a day to day basis, otherwise we will drop behind the curve.”
In addition to boosting technical capabilities, NHS Digital also advocates training for people and processes. As such, the technical side is “just one component” that the organisation does to help protect healthcare, data and services.
“We've delivered over 200 training sessions to healthcare professionals over the past couple of years which are industry-recognised security qualifications,” Flynn says. “We've revamped the annual training regime that everyone in healthcare should go through on an annual basis to include more elements of data security.
“We also publish good practice guidance, around things like firewall configuration.”
According to Flynn there is also an increasing push for leadership to better understand cybersecurity within the NHS.
“I'm talking about board-level engagement – what we are also doing is board level training that isn't technical training, so it's not about asking a director to be able to identify which certification they should be using, it's about being aware... and hopefully, to ask the right questions. [So] we are trying to make sure the education starts at the top as well.”