The NHS procurement process is huge and complex, making it vulnerable to cyber attacks. How can the service protect its supply chain?
The NHS faces a growing cyber threat, with the supply chain a particular vulnerability. What is the nature of the problem – and how can it be addressed?
The health service’s procurement process is as complex as it is sizeable. Cybercriminals will take the easiest attack option, and that weak link can often be found downwind in the supply chain.
Elizabeth Giugno is head of category for cybersecurity at Crown Commercial Service (CCS). In a recent article for Digital Health, she noted that the NHS has seen a “significant increase in cyber attacks since the beginning of the pandemic” and flagged the procurement process as a key focus for cyber resilience.
So how exactly do cyber attacks threaten the procurement process? A November 2021 National Cyber Security Centre (NCSC) report revealed that ransomware attacks are unsurprisingly high on the healthcare agenda. This highlights the danger of social engineering – where a victim is tricked into opening the doors to an attack – and the threat posed when systems aren’t up to date with security protections.
“The NHS struggles to get devices delivered with current and supported operating systems and especially keeping these maintained and patched once they are in,” says Phil Howe, CTO at Core to Cloud, which provides cybersecurity technology and services into the NHS.
“Ransomware is clearly the major issue facing healthcare today,” says Dr Saif F Abed, founding partner of Cybersecurity Advisory Services at The AbedGraham Group, a clinically led regulatory affairs and risk management consultancy in the healthcare space. When products and services are under consideration, procurement processes must be robust enough to judge their resilience “in the face of increasingly sophisticated attackers”.
Physician, heal thyself
Dr Jacqui Taylor is CEO at cloud service architects FlyingBinary and an advisor to the UN on the effective use of new procurement practices. She underlines the complexity of the health service and the impact this has on the supply chain:
“We always discuss the NHS as if it was an organisation - it is not,” Taylor says. “It is a complex series of organisations, most of which have autonomy for the way in which they procure services and often the services they supply.”
Take GPs, the front-line physicians who are often the first contact for patients. There were 35,146 GPs around the UK in 2020, whose surgeries function as small businesses. Across such a fragmented estate, interoperability is a key weakness of NHS procurement.
“From a cybersecurity perspective the NHS is a distributed organisation which is connected by technology,” Taylor says, one where “the cyber risks are unquantified and not understood, certainly not by the majority of the people who work there.”
Mitigating the risk
Unsurprisingly, there are plenty of measures already in place to help secure the NHS supply chain from cyber attacks. These include the mandatory DCB0129 Clinical Risk for Health IT standard, under which suppliers must show that they’ve benchmarked and assessed the patient safety impacts should their solutions be compromised. There’s also the Data Security Protection Toolkit (DSPT), which demands baseline technical security standards and sets 10 security standards around people, process and technology to help guide trusts. “Both of these can help de-risk procurement,” Abed says.
Then there’s the Edge4Health platform, which aims to streamline the processes between suppliers and providers while increasing compliance. This should provide a more agile way for procurement teams to engage with suppliers, while creating transparency in the process, according to Abed.
The problem from a purely cybersecurity perspective is that it’s hard to judge how successful it can actually be. The reason, according to Abed, is that integrating standards and auditing their applications post-procurement are “distinctly different challenges”.
Taylor says the platform is yet another example of reinventing the wheel, something the NHS “is famous for”. Indeed, the one-stop-shop idea is “almost but not as comprehensive as the set of cyber services that NHS Digital recommends via the NCSC framework,” she says.
And then there’s accreditation. Is it realistic to expect requirements like ISO27001 or Cyber Essentials/Plus to reach all the way along complex supply chains?
These are all about reviewing the controls within a statement of applicability, Howe says. They help to “show that a supplier has put in place, documented and audited their internal security.”
However, while agreeing that such baseline standards are positive, Abed warns that they aren’t healthcare specific. Ultimately, “accreditation is only one step in a complex process to effectively manage risk,” he says.
Supply chains are more vulnerable than ever across all sectors. This presents a particularly tricky challenge for the NHS. Ultimately, asking difficult questions of the wider supply chain is essential to prevent weak links in the NHS procurement process.
“Further investment in auditing suppliers and supporting local procurement teams” will have a significant impact, along with ensuring accountability, Abed concludes.
As for the suppliers themselves, Taylor advises that without NCSC Cyber Essentials accreditation, they “don’t have a chance of understanding how to work across the NHS estate.” Any supplier must understand the importance of scale across such a huge and complicated operation. “As a supplier, I recommend you agree the scale proposition upfront so you can be sure of the cybersecurity controls you will need.”