Cyber first responders: Strengthening NHS defences in the digital age

In the event of a major cyber-attack, my team in the Cyber Security Operations Centre (CSOC) leads the response: helping minimise potential harm to patients while supporting NHS organisations in upholding the highest cyber-security standards.

Hundreds of incidents come through our team every month. The more serious or complex cases are escalated to us by our colleagues in CSOC's intelligence and threat monitoring teams.

Our response starts by reaching out to the impacted organisation, for example, an NHS trust, to understand the best actions to take to stop the incident from going any further. 

With the clock ticking, we must quickly understand the organisation's priorities because the best technical course of action could have unacceptable consequences. 

So, we're constantly evaluating and rethinking the right action to take balancing the risk an attacker is inside a system, with the risk of turning off that system to prevent the attacker causing more harm. 

That's where our team adds real value. We're experienced in dealing with serious incidents full-time and bringing established processes and partnerships to organisations for whom this is a rare event. Importantly, we have clinicians embedded within the team, so when hard decisions need to be made, they’re informed not only by cyber risk but by deep clinical understanding too. Everyone involved knows what needs to be done to get things under control.

We can quickly and expertly pull people and information together so the right decisions can be made, with no loose ends. For example, we often work with law enforcement, the National Centre for Cyber Security (NCSC), clinical leads, cyber regional leads and many other stakeholders.

When the threat is contained, we'll investigate what the attacker achieved. Maybe they've taken data or put something on the organisation's network that allows them to gain access later on when they think we've stopped looking.

Digging deeper, we might find out that the attacker breached the organisation through a vulnerability in a supplier's network, so we bring the supplier into the response. 

Sometimes we deploy a computer incident response team (CIR), who are our 'boots on the ground' team to support and carry out an in-person deep dive on the computers that have been most heavily impacted. We can then start to map out what the organisation needs to do to fix any damage and vulnerability.

Cyber criminals often target easily accessible systems due to time and financial limitations. They generally do not seek complex challenges, which is why it is recommended to address high severity alerts (HSAs) promptly.

Given the recent number of high-profile attacks on high street names, now is the perfect time to reflect on how every NHS organisation can strengthen their cyber security foundations. There are lots of things NHS organisations can do now to be ready to work with CSOC should your organisation be impacted by a cyber incident. Here are 3 examples:

1. Audit your assets

Maintaining a list of your organisation's asset registry, including owners, patching levels, and how the assets are used, is invaluable if you're impacted by an incident.

2. Update your out-of-hours contact lists

This may sound simple, but it's often overlooked. Chances are a cyber incident won't arrive at a convenient time, and having up-to-date contact lists can be a huge timesaver.

3. Review your email accounts and passwords

Set strong passwords using the '3 random words' method for users, and complex, system-generated passwords for service accounts. Store these securely and automate account management with a joiners, movers and leavers (JML) process linked to user directories. Use password managers and enable multi-factor authentication where necessary.