On 12 May 2017, just after 4pm UK time, news that various NHS Trusts had been affected by a ransomware attack broke across major media channels. News channels had previously been engulfed in every incremental development of the general election campaigns and the sacking of the Director of the FBI. These stories very quickly took a back seat as panic quickly ensued, operations were cancelled, patients were turned away from A&E and doctors resorted to pen and paper in the absence of electronic medical records.  NHS England declared it a “major incident” while Theresa May stepped in trying to restore calm, assuring the public that it was not believed that any patient data had been accessed by the cyber attackers. While a situation where patient data is not compromised is better than one in which it is compromised, attacks like the one we have just seen often cause a backlash against digitisation in general, rather than older, vulnerable operating systems.
Firstly, we should be clear in saying that all web based systems have the potential to be hacked and no system will be 100% safe from cyber intrusion. The presence of sensitive data and such a systemically important digital infrastructure will mean that the NHS will always be a target for hackers trying to 'level up', in the same way that athletes look for harder and more complex challenges to push themselves to the limit. Secondly, this cyber attack was not directed solely at the NHS. At the time of writing this article, various different industries in over 150 countries have been affected. Much like the financial crisis where people around the world were vulnerable due to their common personal exposure to financial institutions, such as banks and mortgage lenders, people and organisations alike have been shown to share a common vulnerability to ransomware, malware and other kinds of viruses due to their common exposure to the internet. So how should we proceed? Clearly it is not a viable solution to revert to the pre-internet age. The solution, as we see it, is to have systems in place which are secure by design, more resilient to attacks and can be redeployed quickly.
Some of the greatest threats to personal data, in which such confidential information is actually compromised, are not from the type of attack that hit the NHS. Often the weakest part of a system storing sensitive data is the human with access to it. In an era where systems have become more secure and increasingly harder to break into, it is easier for hackers to convince someone to open the door for them from the inside instead. This, so called, social engineering is a growing and possibly more worrying threat affecting even the most tech savvy companies. This can range from a disgruntled employee selling the data to a competitor; an employee, wanting to see data of someone they know and asking for help from a third party who then gains access to the system, or even just an employee leaving their password on a sticky-note in an obvious place. Tech companies are providing solutions for this problem by monitoring suspicious activities of users and trying to stop them before it is too late. However this issue is one which data controllers and processors need to be aware of since data is actually captured, unlike with ransomware, whereby the hackers close down access to the system, but do not take the data.
It is for these two key parallel threats that public bodies and companies working with sensitive personal data need to be adequately provisioned and updated. This is why new systems and technologies, which have the ability to keep up with such threats are vital for bodies such as the NHS.
In the storage and use of healthcare data in the UK, the Caldicott Principles set the benchmark. One of the Caldicott Principles of data management states that “access to patient identifiable information should be on a strict need-to-know basis”. When developing the system for Rorytech we incorporated data security by design with both an audit trail and a network system whereby data use is conditional on the consent of the patient. This creates a system more resilient to data leaks as any person with the authority to view patient data can only see as much patient identifiable information as they have been given explicit permission to see and given that their audit trail can be monitored for activity, anything unusual can be flagged up at an early stage.
The platform we are developing would mitigate the risk of a cyber-attack or data leak by design. As opposed to building a monolithic software application where a single point of failure is exposed and security patches cannot be distributed, we aim to provide a series of discrete microservices by splitting up larger applications into smaller components. Microservices ensure that any successful attack will only affect a small subset of functionality, for example: you may not be immediately able to book an appointment but you will be able to access patient records.
With regards to database security, there is never any direct communication with a database but instead there are controller and repository validation layers and ORMs in between. Regular backups would be carried out and database sharding would be implemented, whereby horizontal partitions of rows can be held in separate databases. Storage space is cheap, so it is relatively cost efficient to make regular database backups to mitigate for data loss. By acting as middleware, we would only communicate with patient data with authenticated and authorised API calls. And only bring into working memory what is necessary for daily operations and compilation of metrics, never exposing raw data to the GUI.
Since we are building a stateless, sessionless web service, all interactions are represented with RESTful API calls. All API calls are idempotent meaning whichever of the load balanced server nodes is hit, the end result will be the same. This also allows us to individually patch and UAT individual servers without bringing down the entire system and allows us to mitigate against a cyber-attack by being able to bring down a corrupted server without affecting general functionality. It also allows for duplicate test servers to be created which will allow for penetration testing, and performance testing to be carried out in safety. Security can further be bolstered if a partnership developed with NHS data gatekeepers allowing us to host our servers on the same VPN, meaning all calls are invisible to the outside and secured with appropriate protocols (SSH, HTTPS SHA encryption etc).
In short, new approaches based on existing capabilities have the potential to mitigate the chaos seen across the NHS on Friday. Investing in such approaches will reap significant returns for the NHS in the short- and long-term. One of the responses of the healthcare sector should be to be open about how data is used and secured. That openness can create trust, disseminate knowledge and help healthcare providers understand if they have gaps in their systems.
If you want to find out more about Rorytech’s approach to cyber security, get in touch. It is one of the crucial elements in the pioneering platform we are developing to improve the experience for patients accessing healthcare and create efficiencies for those delivering it. firstname.lastname@example.org