On a floor of the Annie Lamont building at the University of Abertay lies the ticking heartbeat of a cybersecurity operations centre (SOC) protecting the NHS in Scotland from online harm.
Spread over an open-plan office, a team of cyber analysts and engineers are quietly laying the foundations for a new era in cybersecurity to protect the nation’s health service.
Following the high-profile WannaCry ransomware attack on its systems in 2017, the NHS has made cybersecurity a top priority after the incident caused ambulances to be diverted and non-emergency appointments to be cancelled. Ireland’s health service – hit by ransomware in 2021 – was also left reeling by the experience.
The stakes could not be higher: globally, ransomware incidents have become more commonplace and business-like as gangs look to profit from the misery of others. Some ransomware groups have even specialised in targeting hospitals – calculating that their chances of payment are higher, given the need to keep critical systems online.
“This is a unique opportunity to take part in a space which is purpose-built for collaboration and themed around cybersecurity,” says Scott Barnett, head of information and cyber security at NHS National Services Scotland.
“We understand that that is one of the biggest challenges for Scotland PLC, certainly for the Scottish public sector, and certainly for the NHS in Scotland. Healthcare is facing into some unprecedented challenges, some of those are medical, some of those are financial. But also as we really push forward to try and solve some of those challenges, that involves the delivery of an ever increasing number of digital services.”
He adds: “So there is a greater reliance upon digital and digital capability across the health service. And as a result, you need to tackle the threats and risks which go along with that expansion of the digital world.”
There are 23 different health organisations within the NHS in Scotland, and Barnett is looking to instil a “cohesive” approach to the way they are defended from cyber threats. And it needed a focal point, hence the decision to base the SOC at Abertay University’s new cyberQuarter. The intention is also to give students studying cybersecurity courses at the university an opportunity to get some real-world experience of protecting critical national infrastructure.
Whilst the NHS may not compete with the salaries in the private sector, it can offer a “great environment” to work in, says Barnett, and the team is looking to grow to around 25 to 30 people in the near future. The SOC has been officially open since July last year, but the ‘formal launch’ took place in December; it was relatively low-key and the emphasis is on a sustainable and scalable approach to developing the centre. For now, it is focused on providing cybersecurity services to a core set of health boards but Barnett says the aim is to grow the centre’s capacity “organically” over time.
But has it already stopped any network intrusions?
“I can’t go into specifics but the health service in general is always at threat mainly because of the sheer size of the workforce. And also our presence online means that inevitably, we will come across malicious events, some of which are not directly targeted at us. So there is a general cyber threat out there, which essentially equates to the fact that if you are exposed to online services, then you are exposed to some of those threats,” says Barnett.
The challenge of managing that risk is becoming harder. Barriers to entry for ransomware have lowered with the advent of the ‘as-a-service’ criminal model and more powerful computing capabilities in the cloud. The use of widely available artificial intelligence platforms such as ChatGPT are also proving attractive to hackers. Cybersecurity firm Check Point conducted research recently which showed how the platform can be used to conduct spear-phishing attacks and run shell commands. “There are already first instances of cybercriminals using OpenAI to develop malicious tools,” the company said in a blog.
Barnett agrees: “Computing devices are becoming more powerful with more cloud-enabled services, which is fantastic from a business point of view, which we are keen to exploit. But they also provide the capability for criminals to use those services for malicious purposes.”
“For me, it’s about understanding that threat level, understanding the tools, the tactics, the procedures which criminals employ, and then making sure that we have got the right controls in place to stop the majority of those attacks.”
“It’s a well-worn fact in the cybersecurity industry now that no organisation is immune, sadly, as our systems are so complex. There are so many million lines of code in any standard application, that inevitably there will be vulnerabilities there. So criminals are always looking to exploit those.”
To that extent a large part of the SOC’s work will be focused on not just threat monitoring, and logging network events, it will also proactively look for vulnerabilities in the network. Barnett stresses the role of the SOC will not however be around the application and deployment of technical controls, as that will be done by individuals boards themselves, or the cloud engineering and operations team within NHS NSS.
He is keen, too, to work with students at Abertay to help them with their project work and also potentially even use their experience of working in a SOC environment to develop new cybersecurity products and services.
“If it provides an opportunity for them to become a startup, or spin out as a private organisation or enterprise, then, you know, that would be great. That would be fantastic,” he adds.
Innovation is already on the agenda. Barnett is working with a company called Cylera which specialises in cybersecurity for connected medical devices. In a pilot project with a Scottish health board, the company has been able to scan the network and discover over 100,000 connected devices. Not all of them were medical, but the project has given a stark illustration of how, in future, health boards might be able to determine their cyber risk levels by looking at a holistic picture of what is connected to their networks, and where potential vulnerabilities may lie. In this particular case most of the connected devices were not posing a risk, and their firmware was up-to-date, but there were a couple of instances where software patches were required from a manufacturer of health equipment.
So would Barnett look to roll out that kind of innovation on a wider scale?
“Yes, definitely. The idea is that we would want to have a Scotland-wide view,” he says. “Now, my team sitting in the cyberQuarter don’t need to know about 140,000-odd devices in one hospital. But what they would like to know is what are the most vulnerable devices in Scotland that are flashing red, maybe, because intelligence tells us that there’s been an attack on that type of device elsewhere in the world.”
Not to be alarmist, but the risks of such IoT-enabled attacks are potentially devastating. In the US, the Food and Drug Administration raised the prospect of medical devices such as pacemakers and insulin pumps being targeted by hackers last year. Fortunately there have been no such instances so far, and the risk was assessed as ‘low but not zero’ by the agency.
The case study Barnett mentions is just one health board, but he hopes in time there will be many more, where the SOC is able to prove its worth in identifying cyber risks, and dealing with them at a more joined-up, national level. He would also like to be able to help organisations to recover more effectively and quickly from any potential breaches. There was an example last year where NHS NSS helped a third party private sector software supplier in England during a four-month process to recover from a cyber incident. The incident was fortunately not within NHS systems themselves but it illustrates the complex supply chains that exist around software, and the risks inherent to the way digital services are now delivered.
The SOC therefore could not come at a more critical time. With cybercrime trending upwards, with ever more services becoming digitised, the work that happens behind closed doors in the Annie Lamont building in Dundee will become a vital link in the chain protecting our most cherished institution from online harms.