CS Sep-Oct 2021
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
health check<br />
This has enabled individual organisations<br />
to work to a standard on one<br />
of two security information and event<br />
management systems: one medical<br />
device protection product; and one<br />
single sign-on product to give staff<br />
secure access to clinical and<br />
administrative systems.<br />
"We have worked on our strategy and<br />
then we have moved to manage our<br />
supplier market and our procurement<br />
teams to buy in harmony with that," he<br />
adds. "Gemserv has supported both the<br />
policy and the business models."<br />
FINDING THE GAPS<br />
Cheshire and Merseyside HCP is better<br />
protected against a cyber-attack than it<br />
was five-years ago; but the mantra of<br />
cyber-security is not to ask "if" a cyberincident<br />
is possible but "when" one will<br />
occur.<br />
The scenario-based exercise was<br />
designed to find out how ready the I<strong>CS</strong> is<br />
to deal with an attack; and whether IT<br />
leaders across the patch are clear about<br />
who will lead the response and how they<br />
should communicate with each other.<br />
Before Covid-19 arrived, the I<strong>CS</strong> had<br />
been looking to run a physical event,<br />
but because of the pandemic it moved to<br />
Microsoft Teams. Five virtual break-out<br />
rooms were set up for organisational<br />
teams to use, and the scenario was fed<br />
to them.<br />
As the event went on, the teams also<br />
received 'injects' of information to take<br />
the scenario in a different direction and<br />
test their ongoing responses. They got<br />
some 'good' news: the video didn't<br />
feature local executives and was instead<br />
a 'deepfake'. They also received some<br />
'bad' news: one of the executives who<br />
had been deep-faked had also been spear<br />
phished. His email and that of his<br />
contacts had been targeted. A route was<br />
open for a ransomware attack.<br />
NOT IF, BUT WHEN<br />
Charnley says that on the day of the<br />
cyber scenario event, years of hard work<br />
in Cheshire and Merseyside paid off. IT<br />
teams were able to mount a more<br />
coordinated and coherent response to<br />
the Gemserv scenario than they were to<br />
WannaCry.<br />
They also had better tools to use.<br />
However, the exercise showed there were<br />
gaps to fill. The area turned out to be<br />
short of some specific cyber-security<br />
expertise out of hours. There were still<br />
questions about how decisions would be<br />
made that were big enough to require<br />
sign-off from Government departments<br />
in London or the NHS's central bodies in<br />
Leeds.<br />
It emerged that health and local<br />
authority incident response planners<br />
needed a cyber playbook to put<br />
alongside the playbooks they have for<br />
dealing with train wrecks, chemical<br />
spills or even nuclear incidents. Gemserv<br />
Health is now helping to write one, and<br />
when it is ready, Charnley wants to test<br />
it by running the exercise again.<br />
"Gemserv told us that the military builds<br />
things and then attacks them," he says.<br />
"It costs millions of pounds. We don't<br />
have that kind of money, but we can<br />
learn a lot this way. I want to do this<br />
every six-months - certainly every year -<br />
and I think every I<strong>CS</strong> should be planning<br />
to do the same.<br />
"I'd definitely encourage others to follow<br />
this model and this approach. We<br />
wanted to work with an external partner,<br />
because it's easy to be insular or to play<br />
to your strengths in these exercises.<br />
Having an external view was very helpful.<br />
It gave us a lot of things to think about."<br />
Paul Charnley, digital lead for I<strong>CS</strong>: no<br />
overarching response in place that was<br />
tested and ready to use.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
17