Christiaan Beek outlines the McAfee take on cyber security post WannaCry
McAfee is a globally respected and recognisable brand which represents all that is good about protecting internet users from threats to the security of their data.
Yet McAfee is the first to acknowledge that IT and security professionals in healthcare organisations are facing unprecedented pressure. It stems from an increase in demand and complexity of services, to the threats posed by legacy IT and a number of new compliance issues in the UK and elsewhere such as GDPR, Cyber Essentials Plus, and the NHS Information Governance Toolkit.
Hospital Times editor John Whelan talked to Christiaan Beek, lead scientist and principal engineer at McAfee. He is based in the Netherlands but has responsibility for a global research team who advise McAfee customers throughout the world including healthcare organisations/vendors as well as the automotive industry. He says: “Alongside the challenges, outlined in your introduction, NHS hospitals are going through immense digital transformation, with new connected medical devices being introduced to improve the doctor and patient experience.”
Wake up call for IT healthcare professionals
In recent months, the aftermath of the WannaCry ransomware attack in May 2017 has produced much soul searching among healthcare IT professionals. As Beek puts it: “This was a wakeup call for many hospitals around how they can better protect their data as well as face the new challenges of compliance with for example the European Union General Data Protection Regulation (GDPR).”
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR.Post May 2018 WannaCry would certainly be the sort of event that would need to be reported because it severely disrupted NHS services across the country. However, GDPR isn’t the only compliance challenge that health professionals face. There is also ISO 27001 and the NHS Information Governance Toolkit. As Beek says: “It’s not good enough to adopt a tick in the box approach to compliance there needs to be a compliance culture in our hospitals that defines a solid foundation of information security.”
Hackers prey on legacy IT
McAfee is highly conscious of the risks to many healthcare organisations posed by legacy IT especially from hackers bringing with it the need to secure patient data. This isn’t without its problems and is often easier said than done. As Beek says: “A lot of legacy IT can’t be patched and we see numerous examples of systems in hospitals that have not been updated for five or six years and need replacing as a matter of urgency.”
In a press statement McAfee adds: “However, we’ve seen that despite the massive potential of the healthcare Internet of Things, a number of these devices are vulnerable to hacking – putting both hospital networks and the patients themselves at risk. It is essential to ensure these devices are not introduced at the expense of the safety of the patient and their data.
“Achieving this will be twofold: ensuring that the devices are built securely by design and with the necessary security controls in place; as well as a security policy for connected devices in hospitals, to ensure that they can’t access sensitive data and are regularly patched against newly-discovered vulnerabilities.”
However, McAfee sees one silver lining in the WannaCry crisis in that for many healthcare CISOs they are finding a new-found consciousness among their boards of directors about the risks of cyber-attacks to NHS trusts. Clearly, CISOs need to harness this reaction to drive greater awareness of the need for enhanced cyber security.
And this is where McAfee can help its customers. Beek himself has been with McAfee for six years and his global team specialises in research as well as in his case helping with law enforcement to beat the cyber criminals who prey on the potential vulnerabilities of even the best run hospital IT systems worldwide.