Private technology companies providing IT to the NHS need greater scrutiny over hacking threats to patient data amid “deficient” security monitoring.Technology firms storing patient on online databases could be targeted by hackers, a report into healthcare cyber security has warned, with several US health technology companies hit by cyber attacks and data breaches in recent years. The report from Imperial College London said there were warning signs in the US that healthcare cloud providers were failing to stop cyber attacks. 

“As of January 2019, 416 cases were investigated ... involving security breaches of health information, 47pc of which were caused by an IT incident or hacking,” the report said.

Cyber attacks on cloud data stores have already led to millions of patient records being leaked online, including a data breach of 12 million US patient records from a database used by medical technology firm Quest Diagnostics discovered earlier this year. Another company, LabCorp, also had 7.7m records compromised from the hacked database.

The report said the NHS had become “completely reliant on third parties to store and protect their data”. It said NHS systems offered “deficient monitoring” of third-party firms and changes were needed at NHS trusts to “continuously monitor” the security of IT vendors.

The warning for Britain's health service came as part of a report calling on the NHS to take urgent steps to protect patient data against hackers, with faulty or outdated IT systems and complex medical devices creating a risk to patient safety. NHS IT suppliers are increasingly turning to internet storage, the cloud, for their data systems. EMIS, a major NHS outsourcer, last year said it would move records of 40 million patients onto the cloud using Amazon's Web Services business. The Imperial College paper added there were few rules on emerging technologies, from artificial intelligence algorithms to robotics, to ensure safety is secured. Dr Saira Ghafur, a co-author of the paper, said new rules were needed to ensure tech start-ups and IT firms that worked with the NHS met a high standard for cyber security. “It’s just trying to make sure that we’ve got some kind of regulation in place that ensures these companies are taking security as a key issue, not leaving it as an afterthought,” she said. “This is not just an IT issue, this is a patient safety issue.” Professor Eerke Boiten, a cyber security expert at De Monfort University, told The Telegraph there were still concerns over how patient data was used by private companies. “Any story about data being made available to a start-up or in the cloud should cause alarm bells to go off,”

Britain’s ambassador complains about exclusion from discussion of risk posed by Huawei

British diplomats in Brussels have been shut out of a key EU meeting to discuss cyber security even though the UK has not left the bloc — a sign of tensions to come should London get another Brexit negotiating extension. Tim Barrow, Britain’s head diplomat in Brussels, on Friday wrote a letter of complaint to the European Council’s top civil servant protesting at British officials being “disinvited” from an EU28 meeting on the bloc’s cyber standards on June 25.

One of the items on the agenda was a discussion about how to protect Europe’s 5G networks amid concerns about the security risks posed by Chinese telecom supplier Huawei. In the letter, Sir Tim said the practice raised “questions and concerns in London with regards to the treatment and process around meetings at 27 and 28 during the current extension”. The UK’s formal exit date from the EU has been extended to October 31. It means Britain is still a fully participating member of the bloc and UK officials still sit around the table to discuss the litany of EU28 policies on everything from foreign policy, the next EU budget, and defence policy.

When awarding the six-month Brexit extension in April, EU27 leaders and the UK promised that Britain would not disrupt the union’s long-term work and would abide by the principle of “sincere co-operation”. In practice, this means the UK votes with the consensus or majority on EU policies.

EU officials and diplomats have met without their UK counterparts when discussing matters explicitly relating to Britain’s withdrawal process and are allowed to exclude the UK from any talks under “exceptional circumstances”. But in his letter, Mr Barrow complained that Britain was given no explanation for being shut out of the technical meeting and the discussion of Europe’s approach to 5G security.

The meeting came weeks after the sacking of UK defence secretary Gavin Williamson following the leak of the UK’s strategy on Huawei to a newspaper. “The UK recognises of course that there are occasions when the 27 need to meet in the Article 50 format without us. The organisation of this has been done openly, and with proper process by the Council Secretariat, the Commission and by successive Presidencies and colleagues”, said the letter. The dispute highlights the likely problems the EU27 will face should the UK be given another extension as the bloc decides on sensitive issues like defence, cyber security and intelligence sharing.

Sir Tim denied in the letter that “UK involvement risked posing a threat to the essential security interests of the Union”. “In respect of the disinvitation to the meeting on 25 June, the UK has received no explanation as to the substantive reason for its exclusion. We are therefore unable to accept that the threshold for ‘exceptional circumstances’.” A spokesman for the UK delegation in Brussels said that “in this case it is not clear why the UK was not invited. We are seeking reassurance that this is an isolated case and that good process will be followed in future”.

More information can be found here.
https://www.ft.com/content/e9865874-aa41-11e9-b6ee-3cdf3174eb89

The basics of cyber security are still not being practized regularly and new cyber security risks are emerging as more and more untested technologies are integrated within the critical infrastructures upon which society depends, according to Applied Risk.

“We’re seeing rapid proliferation of new and untested technologies finding their way into Operational Technology (OT) that is controlling and monitoring crucial processes within our society, with data increasingly being transmitted from the OT environment for processing in the cloud.

“Despite increased awareness, new technologies are still regularly developed and deployed in a way that prioritizes speed to market and costs over key security considerations,” says Applied Risk founder and CEO Jalal Bouhdada.

“Cyber security can no longer be treated as an afterthought within industrial environments. By placing it at the heart of their culture, organizations can mitigate the risk of operational, financial and reputational damage and safely harness the huge opportunities of digitalization,” Bouhdada adds.

OT and Industrial Internet of Things (IIoT) security awareness has been growing, partly fueled by growing pressure from regulators across the world and increasing occurrences of cyber incidents within industrial facilities, according to the new report.

Major businesses including Google and Microsoft have co-committed £190 million to tackling major cyber security threats facing the UK.

Up to £117 million expected from private industry investment will be combined with £70 million government investment through its modern Industrial Strategy to develop new technologies.

These will range from new hardware prototypes and software for tackling online vulnerabilities.

The initiative aims to make the UK a leader in the global cyber security market, predicted to be worth £39 billion in the next decade.

(Fomer) business secretary Greg Clark said: “Digital devices and online services are powering more of our daily lives than ever before, from booking a doctors’ appointment to buying online shopping. While these devices and services bring great benefits to businesses and consumers, they come with the associated risks of cyber-attacks and threats that are becoming increasingly complex to tackle.

“As we move to a more data-driven economy, nearly all UK businesses and organisations are reliant on these digital technologies and online services – but the threat of cyber-attacks is ever-present, with more than 30% of businesses having experienced a cyber-security breach or attack in the last 12 months.

“With government and industry investing together as part of our modern Industrial Strategy, we will ensure that the UK is well placed to capitalise on our status as one of the world leaders in cyber security by ‘designing in’ innovative measures into our technology that protect us from cyber threats.”