John Noble CBE on cyber hygiene and defending the healthcare industry from digital threats

John Noble CBE brings an incredible wealth of experience to the Reliance acsn Advisory Board. He has worked as the Director of Incident Management at the National Cyber Security Centre (NCSC), where he led on nearly 800 major cyber incidents; and spent four years serving at the British Embassy in Washington DC.

Few people in the industry know more about creating collaborative, diverse and high performing teams than John. He was awarded a CBE in 2012 for his work in creating effective partnerships in the run up to the London Olympics.

During his over 40 years in government service, John has developed unrivalled experience in understanding and addressing cyber issues. We recently caught up with him to discuss cyber hygiene and the increasing attacks on the healthcare sector.

What is cyber hygiene and why does it matter?

The term “cyber hygiene” or the similar “cyber basics” – refers to taking steps to defend against cyber incursions. Common cyber hygiene practices include regularly patching systems, robust credential management (including the use of multi-factor authentication), the protection of systems administrators and ensuring that configuration errors are not made.

When we caught up with John he emphasised that terms like “basic and poor cyber hygiene” suggest that getting these foundational activities right is easy.  The truth is that these activities are very challenging, particularly for organisations with complex IT.  As a` result of the pandemic most organisations are even more dependent on their IT and in many cases it is becoming increasingly complex. 

“The team responsible for IT will inevitably uncover security vulnerabilities. The threat does not stand still and so anyone who isn’t finding areas for improvementis complacent and arguably not up to the task. Addressing any weaknesses may have an impact on useability or cost. The challenge is not therefore just technical knowledge but an ability to communicate the seriousness of the issues and articulate solutions to decision makers.”

He continues, “training is important when it comes to helping people to recognise threats, but you can’t rely entirely on training – it just takes a single person out of 100 to click on a phishing email and potentially compromise the organisation. You therefore need to have some ‘defence in depth’ and make use of technology to protect your systems. For example, two- or multi-factor authentication is very important. as well as a simple process for the reporting of phishing emails to the IT security team.”

The board also plays a key role in creating a culture of cyber hygiene. “I think the vast majority of senior leaders take cybersecurity seriously,” says John. “They understand the risk – but many don’t quite appreciate how much more dependent they are on their digital infrastructure following the pandemic. Organisations generally haven’t raised investment, so there’s a mismatch between use and defence. The question is how involved the board will be in the organisation’s cyber defence.” Are they being presented with clear information that highlights weaknesses and clearly articulates the required decisions?  The closer the relationship between the experts and the board, the more effectively an organisation can address cyber issues.

Why are cyber criminals targeting healthcare – and what can be done?

Unfortunately, the healthcare sector is an increasingly common target for malicious actors. Outlining the issue at large, John says “often the spend on cybersecurity and IT generally is very low compared with, say, the financial sector. Some of the publicly available figures for the NHS show that the level of IT spend is way below the target.”

“Now, it’s easy to assume that this is a bad thing, but the reality is that every penny you’re going to spend on cybersecurity is money not being spent on somebody’s heart bypass or other urgent need.” As a result of this – and the complexity involved in change – legacy systems are often left in place for longer than in other industries. At this point, when systems become vulnerable, cyber security becomes a patient safety issue.

“There’s a problem in healthcare generally, not just in the UK, that the levels of security are low while the data that’s being protected is highly sensitive.” John’s former organisation, the NCSC, recently announced that last year 20% of attacks it mitigated were in the healthcare space surrounding the rollout of the Covid vaccine.

John notes that the NCSC moved a lot of resources into protecting the NHS and healthcare supply chain during the pandemic. That was of enormous benefit. There have even been, he says, “some examples of nation states who targeted the healthcare system to find research data around vaccines.”

On a larger scale, the most significant trend is the increase in ransomware attacks. In the Republic of Ireland, for instance, the Health Service Executive was recently hit by a ransomware attack which resulted in threats to publicise patient data and caused significant disruption.

The healthcare sector has undergone rapid digitalisation during the pandemic – the NHS app has grown significantly to 22 million users – and this has produced significant benefits to the public. For a start, rather than going into a GP’s surgery to update your address or phone number, people can do it digitally, and many areas have extensive online services. However, this process could also create potential opportunities if such services are not handled securely.

“As we increase the use of data, we must also increase our investment in security,” John explains. “Frankly, with an ageing population and a finite amount of money, it makes sense to digitalise and seek efficiency and improvements to patient care. We just must remember that there are high stakes, and failure to keep the data safe would compromise trust in the NHS.”

“I think what you must do is encourage the people making investment decisions to always consider security. Boards will hold responsibility for data breaches impacting their organisation – whether it’s the NHS or a private company – so it’s in their interest to take proactive responsibility for security,” John concludes. As non-executive director at NHS Digital, John is responsible for assuring cyber security and information assurance. The NHS Digital Board sees cyber security as a crucial issue.  A high priority is placed on overcoming the challenges of defending a system of this size and complexity, as well as making the sufficient improvements to NHS cyber security to ensure all systems and data are protected.