How focusing on security became the centre of UHNM NHS Trust's digitisation efforts
The University Hospitals of North Midlands (UHNM) NHS Trust turned to Ordr to secure everything from PCs to CT scanners
When Mark Bostock started working in healthcare more than two decades ago, the role of IT was largely administrative. Computers helped staff manage appointments and perform basic tasks, but if a system went offline it was still possible to continue with old-fashioned pen and paper.
These days technology is essential to the day-to-day operations of the NHS, helping it maximise resources and enhance the quality of service it offers patients. Many treatments rely on dedicated medical equipment and electronic patient records are used across the whole spectrum of health and social care.
So, if a system does go down, it can be a catastrophic scenario that prevents patients from receiving lifesaving treatment, while a cyberattack could have a serious impact on trust and undermine any further digitisation.
The reality of this scenario was laid bare by the WannaCry ransomware attack of 2017, which compromised critical systems, closing hospitals and cancelling appointments.
"We're becoming increasingly dependent on IT and if a patient is having an appointment, then the clinician needs timely and accurate data," explains Bostock, who is now information management and technology director at the University Hospitals of North Midlands (UHNM) NHS Trust. "If we lose our IT systems, then we're not treating patients."
As part of his role, Bostock sits on the trust's board of directors and is responsible for its IT systems, health records, general information management, and security.
This complex environment includes 200 different systems, as many as 8,500 end user devices such as PCs and tablets as well as dedicated medical equipment like CT scanners, blood analysers, and electrocardiogram (ECG) machines.
The digitisation of the NHS is an ongoing process that will eventually lead to further efficiencies, better care, and improved quality of life for millions of people. The wider collection and analysis of greater volumes and a wider variety of data is at the heart of this transformation, allowing for more personalised, real-time treatments powered by the Internet of Things (IoT) and artificial intelligence (AI).
This increased reliance on technology heightens both the risk and the potential consequences of a cyberattack, however. The introduction of more devices into an IT environment complicates the management challenge even further and provides more attack surfaces and potential vulnerabilities that can be exploited.
Compounding this threat is that medical data is both extremely sensitive and extremely valuable, making the NHS a more attractive target for hackers. A breach would not only cripple key systems but would undermine public trust in the organisation and have financial implications – both in terms of the disruption caused and regulatory penalties.
Although NHS trusts conduct all manner of risk assessments and contingency plans for emergency events like for floods and fires, the ever-changing nature of cybersecurity means protections become out of date far more quickly than with natural disasters.
"We do a lot in terms of keeping the organisation secure in order to ensure continuity of service," Bostock says, adding that the NHS has provided trusts with resources to do so. "It's much simpler to make sure we have the right mechanisms and software defences in place [for end user systems and devices].
"We worry more about our medical and IoT devices that typically rely on operating systems, software and firmware that is much more difficult to keep up to date. We will keep some of the larger, more expensive medical devices for several years and sometimes the OS can go beyond its supported timeline.
"We have measures such as perimeter defences and network segmentation to protect these systems but at an end point level they can still be vulnerable."
The thought of another WannaCry is not something that UHNM NHS Trust could contemplate, which is why Bostock turned to Ordr, an IoT and connected device security firm, to protect its equipment. The company was brought to the Trust's attention by partner M8 Solutions, a healthcare IT specialist, which saw how Ordr's technology could be applied to the NHS and solve these security challenges.
"Ordr was very easy to work with," says Bostock. "I had a long conversation with the CEO, and he couldn't do enough to support us at all stages from the proof-of concept. He quite rightly had a high level of confidence and understanding of how this could help an NHS organisation."
Whereas the trust previously had to contend with multiple, disjointed management tools, Ordr's Systems Control Engine (SCE) provides Bostock with a single pane-of-glass view of all its assets.
The IT team has visibility over every single device connected to the UHNM network, whether it's a computer or an MRI scanner, and can see which versions of an operating system each piece of equipment is running. The platform even indicates which version of the software each device should be using to remain secure, helping the IT team apply updates as quickly as possible.
The platform, which is hosted on-site, complements UHNM's other security provisions – such as Advanced Threat Protection (APT) from Microsoft and Darktrace's AI-powered services – and the data that is collected feeds into algorithms that can automatically detect anomalies. The software learns how devices behave normally and then informs the IT team if there is an issue anywhere on the network.
This degree of visibility and capability ensures UHNM NHS Trust is doing everything it can to safeguard its hospitals and its patients. The security and trust of the public is essential, Bostock says, if the NHS is to achieve its digital ambitions and improve healthcare through future technologies like AI and telehealth services.
Trusted AI 101
A guide to building trustworthy and ethical AI systemsDownload now
"The NHS is changing into a more proactive organisation," he says. "At the moment, you come in if you feel ill, but this is quite expensive, so the NHS is becoming more proactive. We're looking at things like population health management, using AI to spot trends and trying to stop people getting ill in the first place.
"There's also personal health management for long-term conditions, so that if the patient's condition does worsen then we can intervene as early as possible and keep them out of hospital and healthier for longer.
"It's about getting the right information to the clinician at the point of care and getting the right information to the patient. There are AI-driven technologies that can detect any deterioration and telehealth alerting systems that integrate personal devices like smartwatches and [contribute] to electronic health records."
"Better treatment [is possible] but we're never going to achieve this if the patient can't trust the NHS."
Preparing for AI-enabled cyber attacks
MIT technology review insightsDownload now
Cloud storage performance analysis
Storage performance and value of the IONOS cloud Compute EngineDownload now
The Forrester Wave: Top security analytics platforms
The 11 providers that matter most and how they stack upDownload now
Harness data to reinvent your organisation
Build a data strategy for the next wave of cloud innovationDownload now