How technology can help ease NHS winter pressures

Sascha Giese, Head Geek™ at SolarWinds, discusses the failings of legacy NHS technology and how cyber security is vital for the well-being of the health service

Winter brings challenging circumstances for the NHS, with the impact of seasonal bugs and flu, among other cold-weather conditions, and places an increased burden on services and resources. Indeed, as recently reported by The King’s Fund, back in the winter of 2018/19, nearly all NHS beds were occupied due to 18,000 patients a day arriving as emergency admissions during February 2019. Peaks in demand such as this will test the resources of any organisation, even one as big as the NHS, and it is perhaps no surprise important stakeholders such as the British Medical Association (BMA) have previously characterised the winter situation as a ‘crisis’.

The reasons behind the challenges faced by the NHS during winter are extremely diverse, but there can be no doubt the reliability, resilience, and security of IT infrastructure is fundamental to the ability of any healthcare organisation to meet major spikes in demand—seasonal or otherwise. At any time of year, a security breach or any serious system downtime can cause huge problems for the delivery and efficiency of healthcare services. Add the extra pressure common at this time of year, and an inconvenient IT problem can quickly evolve into a wider crisis.

The failings of old technology
It’s inevitable in a public sector organisation with over 70 years of history, the NHS will always feel the impact of ageing IT. Even when the technology continues to do the job it was built for without obvious problems, this ‘legacy’ can bring with it an unwanted collection of deeply embedded problems, from reliability, collaboration, and performance issues to an inability to scale when demand rises. When older hardware and software is in daily, mission-critical use within organisations as large and complex as the NHS, the technical and financial issues associated with replacing it are intimidating.

A current example is the recent arrival of the end of support for Microsoft® Windows® 7 – an operating system widely used across the NHS. Going forward, Microsoft has now stopped providing security updates and support for the product and users have a choice of paying for extended support, upgrading to the current version of Windows, or sticking with what they’ve got in the hope they remain secure.

This is no small problem. According to information from the Department of Health, there are still ‘approximately 1.05 million NHS computers using Windows 7 from a total 1.37 million’. Aside from the difficulties of upgrading that number of computers to Windows 10 in the short term, it shows the sheer size of the task facing the NHS for any wholesale technology change. And the process can take years—indeed, five years after Windows XP went ‘end of life’, the NHS still has some 2,300 computers using XP.

There are always going to be challenges with using legacy technology. Despite this risk, the key to keeping systems going is to make the risk as small as possible, through implementing the necessary technology and training to primarily stop cyberthreats in their tracks, but also to reduce the negative impact of a potential failure. Every organisation will face these issues; what’s important is how well they cope with them.

Cyber security – Vital to the well-being of the NHS
Building a strong cyber security strategy focusing on the key requirements of detection and prevention requires a co-ordinated approach from the top down. At a leadership level, efforts should include improving security best practices. For example, because the NHS employs around 1.7 million people, the risks presented by insider threats, whether unintended or malicious, are considerable. Indeed, the security risks from insiders can often be more numerous and acute than those coming from external criminal hackers or foreign governments.

As a result, end-user security awareness training, network access control, and effective patching are among the best routes to improving insider threat detection and prevention. In general, organisations investing in best practice often see an improvement in security effectiveness, and processes such as employee background checks can play an important role in controlling the risks presented by malicious insider threats. These should form part of ‘basic security hygiene’ for the NHS and will prove of immense benefit under almost all circumstances.

But this only represents part of the challenge. In their attacks against hospitals, cyber criminals probe a variety of apps, systems, and environments, trying to find critical servers where Personally Identifiable Information (PII) resides. These tactics make multi-layered defences essential to augment hospital network security with intelligent threat monitoring, triggering alerts, and automated incident response software to quickly remediate cyber security issues.

Ultimately, the perennial challenge for the NHS is one of funding. In the case of more advanced and sophisticated security tools, for example, the shopping list can be long. However, to help mitigate the risks of security problems exacerbating the wider winter pressures, intrusion detection and prevention tools, endpoint and mobile security, web application firewalls and encryption technologies are now ‘must-haves’.

It would be foolish to suggest technology alone can take away the challenges brought to the door of the NHS every winter. But it can certainly play a significant role in helping the organisation deliver infrastructure that is reliable, secure and can flex effectively whenever demand dictates.