How to stay one step ahead of a cyber attack

The NHS is one of the world’s largest employers and holds some of the world’s largest IT infrastructure.

NHSmail is Microsoft’s largest Office 365 tenant, and within our security tooling we encompass around 5.6 million devices. Every single one holds the potential to access sensitive data, which is essential for NHS colleagues to do their jobs, and valuable to those who may wish to do us harm.

This vast network is what makes the NHS so attractive to cyber criminals, who can range from advanced cybercrime and more sophisticated threat groups operating across the globe, to opportunistic hackers simply looking for weaknesses to exploit.

Whether the motive is disruption, profit, or something else entirely, cyber attacks have the potential to halt patient care or damage public trust in us to safeguard their data. This means we must stay one step ahead of the attackers to make sure that ambulances can pick up patients, that clinical operations happen, that people can get a GP appointment when they need one, and so much more.

Our Threat Operations team specialises in the detection of cyber security threats to UK health and social care. Our mission is to proactively detect and inform on advanced cyber threats before they can cause harm to our organisations. Threat operations consists of 2 pillars  – threat intelligence and threat hunting – which produce an array of specialist, threat-led capabilities to enhance security monitoring and response.

Our dedicated threat intelligence team has built up a robust network of intelligence sources. We continually analyse this intelligence to identify new and developing threats to the healthcare system. We share our findings with leaders and technical teams throughout the NHS to help us respond collectively. Think of us as knowledgeable partners, here to help individual NHS organisations make the best cyber security decisions.

To gather the best intelligence, we centrally inject intelligence feeds into our security tools, generated from commercial, curated open source, and our own bespoke threat intelligence insights. We also provide darknet and credential compromise monitoring and undertake intense study of how threat actors are operating.

To share our findings, we offer the healthcare system strategic products and tactical intelligence, and advice on the best ways to mitigate emerging threats and use modelling tools to predict what is likely to happen next.

Working alongside our intelligence team, our sophisticated threat hunting function uses intelligence to identify the newest types of malicious activity that isn’t yet detectable through tried and tested cyber security methods.

Most organisations might have one threat hunter (if any at all) within their cyber security function, but we have a full team investigating a significant number of queries each day to safeguard healthcare and fortify our systems.

We also create bespoke analytics honed specifically for threats targeting our healthcare systems and environments. This ensures tailored precision in our defence strategy. Using our simulation environment, we can even emulate the tactics of real cyber attackers targeting healthcare systems.

During complex cyber security incidents, we also provide deep analytical support.

Cyber criminals’ tactics evolve rapidly, so diversity of thought and experience is key to our success. We need our team to see things from all kinds of different angles to be able to hypothesise what threat actors might be thinking about doing next.

To achieve this, we’ve built a team of colleagues from all walks of life, including seasoned cyber security professionals, newer colleagues who’ve recently finished formal cyber security training, and colleagues who have changed careers to protect the NHS – from ex-military and teachers to experienced business managers and more.

The attackers are diverse, so we need a diverse team and approach to combat them.

Our security tooling blocks millions of cyber security threats to the NHS every month. It’s a huge number that illustrates the value of the NHS network to malicious actors hoping to disrupt or profit from us.

But the size of the NHS is also a huge strength when we all work together.

The NHS unites people to work under intense pressure, and I believe we do the same in cybersecurity, where everyone in the community plays a role in its protection. We need to deeply embed cyber-safe ways of working into everything the NHS does. A big part of that involves providing a robust central technical defence, but it also needs to involve every single NHS colleague working together to build cyber secure habits into our everyday ways of working.

Deploying a robust cyber security defence to help protect the NHS is a complex and continual process, but one that we’re committed to.

After all, cyber threats are relentless. But so are we.