NIS Regulations: A New Era of Cybersecurity for England’s Healthcare Sector
Table Of Contents:
When you think of the challenges faced by the National Health Service, things like a lack of funding and staff, long waiting lists, a growing population, and constantly changing patient needs might come to mind.
Yet a single cyber attack has the power to knock all of the NHS’ critical information communication systems offline, making it harder for frontline doctors and nurses to do their jobs and ultimately save lives. The infamous WannaCry cyber attack, conducted by North Korean hackers, infected computers across 595 doctor surgeries in England and disrupted the running of one-third of English NHS hospital trusts.
Along with impacting the day-to-day operations of doctor surgeries and hospitals across the country, cyber attacks against the NHS can also result in the leakage of sensitive health data. In June, The Independent reported that cyber criminals stole the personal data of 1.1 million NHS patients in 200 hospitals after launching a ransomware attack on the University of Manchester. It’s believed that this leaked data included patients’ NHS numbers and part of their home postcodes.
Looking to prevent future cyber attacks and data leaks affecting the NHS, the Joint Cyber Unit has released new guidance regarding the rollout of the Network and Information Systems (NIS) regulations across healthcare organisations in England. This decision suggests regulators now view healthcare data as a Critical National Infrastructure (CNI). So, why is this the case, and what does the new guidance mean for healthcare providers in England?
What Are NIS Regulations?
The NIS regulations, which entered the law books in May 2018, aim to strengthen the cybersecurity posture of operators of essential services (OESs). These organisations provide services critical to a functioning society and economy, including transport, water, electricity, and now healthcare.
In new guidance, government officials describe healthcare as “an essential service under the NIS Regulations”. It classes NHS trusts, foundation trusts, integrated care boards (ICBs), and specific independent providers as “OESs for healthcare services”, meaning they must take appropriate steps to comply with the NIS Regulations.
Under these rules, healthcare organisations must be capable of managing any cybersecurity threats impacting the network and information systems they use to deliver essential services. This involves preventing and minimising the effect of cyber attacks on healthcare networks and information systems while “ensuring the continuity of those services”.
The NIS regulations mean that healthcare providers must adopt “comprehensive risk management practices”, according to Jack Porter, Public Sector Specialist, Logpoint. These measures include “assessing potential risks, implementing security measures, and regularly reviewing these to protect patient data”.
Healthcare providers must also implement “more supply chain security-related policies” to comply with the NIS regulations. Porter says: “This means ensuring that partners and suppliers adhere to strict security standards for healthcare providers, especially when handling patient data or providing critical services.”
When it comes to mitigating cyber security risks and ultimately complying with the NIS regulations, Porter recommends that healthcare providers adopt an information security management system (ISMS). He adds that implementing a security and incident event management (SIEM) system would enable healthcare organisations to “detect and respond to incidents” and comply with industry standards like ISO 27001.
Emerging technologies like blockchain could also help healthcare providers protect crucial systems from cyber attacks and data leaks. Simon Bain, AI expert and CEO of OmniIndex, explains that the decentralised technology “offers enhanced security, privacy and transparency over legacy infrastructure”.
He continues: “This is because it is encrypted end-to-end, has no central location for a criminal to attack, and utilises AI to continually authenticate and authorise access to ensure only those who have permission to view certain data can view it. Furthermore, stored data is immutable. This means that even if an attack was successful, the data cannot be encrypted by an attacker and held to ransom.”
Reporting Cyber Incidents
If a healthcare provider’s network and information systems are impacted by a cybersecurity incident that affects the continuity of their essential services, they must file a report using the Data Security and Protection Toolkit (DSPT).
They need to report the incident at least 72 hours after noticing it and include information on how many users were impacted by a breach, its length, and the impacted geographic location.
Porter says the NIS rules are similar to GDPR in that they aim to “broaden incident reporting requirements beyond those which affect the continuity of service. He explains: “Healthcare providers must report significant incidents affecting their network and information systems with recommendations of a security audit.”
He says adopting a SIEM platform enables case managers of healthcare cybersecurity incidents to “speed up investigation and response”. These systems provide log threat intelligence, giving investigators a “complete picture of what’s going on” and allowing them to “create reports directly from each case”.
Why Is NIS Important For Healthcare?
There are several possible reasons behind the UK Government’s decision to make the NIS regulations applicable to the English healthcare sector. Perhaps the biggest motivator is that a complex variety of interconnected systems play a critical role in the day-to-day delivery of modern healthcare.
From electronic health records to internet-connected diagnostic equipment, health technologies are beating the heart of the NHS in 2023. But they are also a lucrative target of cyber criminals and must be protected to avoid catastrophic cyber breaches that could affect the English healthcare system.
Matt JD Aldridge, principal solutions consultant at OpenText Cybersecurity, says the “extremely sensitive” nature of healthcare data and its value to cyber criminals are likely significant factors in the government’s decision to apply the NIS regulations to the English healthcare system.
“If an attack was to disrupt a medical facility, then it brings severe risk to patients. This is why the industry is very much in the spotlight and, therefore, must address security in multiple ways,” he says.
“Also, there have been numerous, well-publicised attacks or breaches on the NHS over the last few years, which may have spurred this realignment to ensure better protection and guidance to healthcare organisations as a whole.”
The coronavirus pandemic highlighted the importance of the NHS during a public health emergency, so it could be argued that a disrupted healthcare system would be bad for British national security. By improving the cyber resilience of the NHS, nation-states won’t be able to disrupt Britain’s ability to provide critical care during future pandemics and other public health crises.
Subjecting healthcare providers to the NIS regulations will enable them to implement cybersecurity best practices to mitigate future cyber-attacks and data breaches, which would otherwise put patients at risk, result in hefty fines, and cause reputational damage. England’s decision to strengthen the cybersecurity of its healthcare sector in this way will likely inspire other nations to take similar steps, increasing Britain’s influence on the world stage.
Making The NIS Regulations Work
Despite their benefits, the NIS regulations may present various challenges for healthcare organisations in England. Smaller providers, particularly, will be hit by the financial burden of purchasing cybersecurity systems and updating legacy IT systems. Doing these things also requires specific expertise, which small healthcare providers may not have in-house. Training staff on identifying and responding to cyber-attacks will take some time.
Overall, the rollout of NIS regulations across the English healthcare sector will protect it against existing and emerging cybersecurity threats. But for this transition to be successful, close collaboration between governments, regulators, healthcare providers, and cybersecurity experts is fundamental.