Cyber threats are relentless, but so are we!

Mike Fell, NHS England:
Hello and welcome back to The Cyber Sessions podcast. I'm your host Mike Fell and I'm the Exec Director of Cyber Operations here at NHS England. And today I'm really pleased to be joined by some colleagues from the cyber security operations centre.

Cyber threats are described as relentless, but also, our security operations centre, really is the beating heart of security across the NHS. With a mission to protect the NHS’ infrastructure across England, which encompasses around 2 million devices, 2 billion firewall transactions and 200,000 network events each second through the Health and Social Care Network. So we're going to start with some quick introductions before we get into the detail of today's conversation. Ryan, would you like to introduce yourself first?

Ryan Lee, NHS England:
I'm Ryan Lee. I'm the principal of threat operations which is responsible for the threat hunting and threat intelligence functions within the NHS England CSOC.

Mike Fell, NHS England:
And Anna?

Anna Evans, NHS England:
Hi, my name is Anna Evans. I'm a senior threat hunter in the threat hunting team within threat operations. So I'm working across all of the CSOC’s monitoring tooling to do proactive detection of cyber threats and sort of help out organisations with the response.

Mike Fell, NHS England:
And Peter?

Peter Robinson, NHS England:
Good afternoon, my name is Peter Robinson. I'm one of the deputy regional security leads. I primarily focus within the Midlands region, supporting all the NHS organisations within the Midlands but also supporting nationally as well, being the sort of conduit between the local organisations and NHS England cyber operations. 

Mike Fell, NHS England:
It's a real pleasure to be able to speak today about a really important function here in NHS England. I've spoken of the security operations centre already, but for those that aren't familiar with some of the language that we're using in this, Ryan, can you say a bit more about what is a CSOC and why do we need it?

Ryan Lee, NHS England:
Yes, so the CSOC is a reactive capability to cybersecurity threats that appear across our healthcare sector. The CSOC is predominantly focused on national services, so kind of service-orientated model where organisations onboard their infrastructure to our monitoring capability and then we have about approximately around 100 staff now that are providing levels of capability to that service. So that could be responding to alerts on people's computers, on people's devices, that could be responding to alerts on people's mail systems or emails and taking actions to make sure that that system or that piece of information is safeguarded in the event that an attacker tries to compromise that capability. 

Other things that we provide services for are security capabilities to stuff like the Health and Social Care Network that Mike mentioned. So the east to west traffic that we see between hospitals, trusts, suppliers, people like that. NHS applications which the public use day in day out. We're monitoring any kind of abnormal activity on those platforms and able to take a stance on that if we see something that deviates from the normal pattern of usage. And that's to make sure that those systems stay up and available so that the public are able to use them all the time.

Mike Fell, NHS England:
And that's the critical part, isn't it? We've got, you know, over kind of 250,000 outpatient appointments every single day in the NHS and over 850,000 people are visiting GPs every single day. And I think that's at the heart of ultimately why we're doing that, isn't it? To make sure those services do remain available as people expect. Again, turning to some of the language that we use in this, your role is all about threat and it's quite a kind of militaristic language and that, but why is being threat-led so important in this space? 

Ryan Lee, NHS England:
I'll start with my kind of high level speech and then let Anna kind of speak to how that means actually application and actually being that front line defender that goes and does those things, but for me threat-led is important because we operate in a business of risk.

So we are trying to assess what kind of risks are to our business and the business outcomes that we're trying to achieve. Healthcare is an availability sector, right? We're here to make sure that we provide healthcare to those patients and enable those frontline workers to do their job. That's ultimately what we're here to do, and by being threat-led, we're able to inform. So you've got risk across the board, whether that's from strategic decision makers.

What should we be doing to make sure that system is able to stay up and cater to that need? And what we want to do is be proportionate to the stuff that we do, so make sure that we're spending money correctly on protecting that system, make sure that people's efforts are looking at the right things for us. And if you have a generic response, then what happens is you're trying to cater to a broad line of defence, whereas we know that what's important to us is to make sure people's data is safe and that people are receiving their care. So we can tailor and go, well, these are the threats that are to that level of risk, and we can make sure that we are concentrating all of our resources, which is really, really important.

To something as big as the NHS is, we're focusing our resources on the right things to make sure those business outcomes are delivered and that people's information is safely secured. And we're ensuring the public that we're doing the right service. So by being threat-led, we can be more informed, more pointed to the thing that actually would target us and try and achieve their kind of attacker goals.

Now that's my high level spiel and I think from a more on the ground kind of than what that actually means in a CSOC fashion, I think it's being proactive and making sure that our detections and our capability and our more pointed alerts and stuff like that are targeting things that are a threat to our platforms. So we know that that type of bad actor would be targeting the NHS to try and do these things and what we can do is make sure that we respond even quicker and more active and ultimately then enable us to then do more proactive steps. So can we stop this happening before it even materialises on that platform? So we move from that reactive stance to that proactive stance of right, we're going to invest in this line of defence because we can then stop that threat from getting in.

Mike Fell, NHS England:
And Anna, as somebody kind of with one of the best kind of best termed roles, threat hunter, in the industry, what does that feel like on the ground when you're actually doing it? We talk about intelligence, which gives these kind of like nation state-like spy kind of terminology, but what Ryan's just described there is actually a lot more practical and very, you know, countries apart from that. So what does that kind of intelligence-led approach mean in practice on the ground?

Anna Evans, NHS England:
Yeah, and it is a lot more practical and a lot less exciting I think when you break it down because the term is brilliant, but yeah I think it is what Ryan is saying about focusing the effort in the right places.

I think the way that everything is set up with the NHS, we have like a very unique risk profile. You know we have things configured in certain ways and systems that are more critical than others, which means that you know we can expect to see specific attack patterns. We know we're vulnerable to specific things and making sure that we have intelligence that is kind of directing our efforts in the right places.

We're looking for the right things, we're not spending too much time and effort on things that might be a risk to another organisation but aren't necessarily a risk to us. And it's a buzzword that's going to keep coming up, but it's all about being proactive I think. So you know, the faster that intelligence can come in and sort of be assessed for its relevance to us, and then the threat hunting team and the CSOC in general can react to it, we're kind of staying ahead. Coming back to that relentless point, right? We've got to be reacting to that as quickly as it's coming out, as quickly as attackers are changing up their patterns, as vulnerabilities are being disclosed, that type of thing.

Mike Fell, NHS England:
Yeah, I think the things that you mentioned there I think are really at the heart of this, and I think why we've got the group of folk that we've got together today. You mentioned there about the unique way in which certain things are configured because of the health nature. You know, there's connected medical devices which are doing things that are unique compared to other sectors. And I think the point you're making is that intelligence is about understanding the context of things, which I think Peter, that's kind of where your role really comes into its own, isn't it?

So as somebody that works, that's worked previously in the CSOC but now works more in the regions and close to the front line. Why is that unique understanding of health as opposed to, the finance sector or any other sector that tries to protect itself? Why do you think that's so important to have that understanding about how things are used on the ground?

Peter Robinson, NHS England:
Yeah, it is absolutely essential and it is a fundamental part of our operation essentially. So the privilege of my job is I get to speak to local people on the ground in the Midlands. I find out their priorities, their worries, their issues, and then that to be heard at a central level and to make sure that's feeding into the national cyber operation. But also to speak to the impact as well. So you know, at the end of the day we're all here to improve patient outcomes, to better protect the NHS, and to ensure that those local people are protected. And the best way we can do that is to speak to each other. It's a lot to be said to the personal relationships we have with the ground and making sure that we're able to have those is heard at central level and we're able to communicate in a really efficient way.

And the regional leads as a team work is a really good at bridging that gap to make sure that you know the threat team, the CSOC, have all that intelligence and all of that really critical insight. Because it's the most important because at the end of the day it's people's lives that are at risk if this goes wrong and we need to make sure that we are the most prepared and you know the best people to speak to about that is on the ground in terms of like clinical aspect, making sure that you know what software are people using, what are they vulnerable to, what are they worried about, and how it's configured locally, and then feeding that back into the centre so we can then best support the entire system. So it's absolutely without that bridge, without that gap, we would be so limited to what we could do and to that defend as one capability as well as making sure that we're all in this together as the NHS as a community, making sure that we're able to better protect them all.

Mike Fell, NHS England:
Great, and you know in the spirit of trying to get for the listeners some manufactured tension into the conversation amongst the group of people I think or believe in what we're doing here, I'm going to play it back to you, Ryan, here about you know, does what Pete's saying stack up? Because as the like artificial villain in this conversation, I see you and your team sitting in a secure enclave behind locked doors and doing all sorts of funky things that are way beyond my level of understanding using the intelligence that we've spoken about and the capabilities. And then I'm hearing Pete say actually it's all about the visibility on the ground on that. How do we, in your mind, how does that work in practice?

Ryan Lee, NHS England:
Yeah, I think with the NHS, we do things our way. Like a lot of things, we're kind of tailoring and developing. Actually, threat hunting might work one way for one business and it might work another way for the government sector, but the NHS it’s a very unique beast, right? Not many people have 2 million users or 400 organisations to defend. It's just not a thing like on our scale, and you go to our partners and they go you're the biggest in the world, one of the biggest employers in the world, and our technology is one of the biggest outreaches in the world. So we do things our way, right?

And that community thing which Pete spoke around, like being there present to the organisations, I think it's really important because, the NHS like to do things as a community. Respond to the pandemic as a community, as one, and community and defend as one for me ring true together. I think it's part of our mission is to enable that really shiny pointed threat hunting capability that we've got within the CSOC and our and have it reach those local defenders and those organisations, those local cyber security managers that people might just be, they see them in the hospital doing their thing and integrate together so that together we can tackle those threats.

And I think that's the important next leap for the CSOC, right? Is we're behind this closed door in this, fighting these really sophisticated threats that do want to do harm to our country and to our healthcare system. And people like Anna are absolutely smashing it tackling that every single day. But what's important is that proactive bit we spoke about is actually how do we stop that attacker getting in again at a different hospital? And I think the community learning from each other, learning from these experts in the centre and working together to go and tackle that threat is the really important bit.

And I think that's why the job like yours is really important Peter, and the job like Anna’s is important, and working together with the entire system with all the people out there is really important to kind of tackle that threat like we did other medical threats such as the pandemic.

Mike Fell, NHS England:
And help me out Anna here in my search for some artificial kind of drama to it. Does that, is that what it works like between yourself threat hunting and using the kind of hub and spoke model with regional leads? 

Anna Evans, NHS England:
Yeah, I mean I think you know at times there's some disconnect. I hope you're happy with that. At times there's some disconnect I think because you know we can see something, we can think we've found a perfectly reasonable solution to mitigate it, and then you know the regional leads will work with us to communicate with the organisation and there is a very good reason why they can't implement that. You know it's a critical system, they can't afford the downtime because it's delivering some really important piece of care.

So having the regional leads there, we have that kind of national oversight, but these organisations have the local insight that is completely needed. Because we can sit here and be like, you know we've got a perfectly reasonable piece of advice for you here, but there's also a perfectly reasonable reason why that can't be implemented or you know that we've got to come up with another solution. And those solutions are only arrived at by actually speaking to the organisations themselves and that's what the regional leads are there for.

Peter Robinson, NHS England:
Exactly, I've got in terms of like an example of that as well. So it's a little about operations but in terms of like things like multi-factor authentication, from a cyber professional it's have all your accounts have MFA enabled because it's a great mitigation against cyber threats in terms of account compromise. But in terms of hospital setting that's completely different. You know you have wards where they can't have phones for MFA or in other settings where it isn't feasible to use that. So it's working that difficult issue of okay, how do we become cyber secure but how do we do that in a healthcare setting?

And it's the only way that we're going to tackle that and have when we come to these conflicts of that clinical risk we can't do that, but also the really bad, really severe cyber threat that we do face nationally. Like the only way that we're going to solve that is through these conversations and then voicing almost like from the region point of view, advocating for the ground and saying look, you know we appreciate what the SOC's, you know what this measure is, but it can't be done in XYZ so let's work together to find a way that we can become cyber secure and also to meet the clinical requirements that we need to meet as well.

Mike Fell, NHS England:
Yeah, and I think you know it's unique about the setup of that having that kind of model that really has, you know we talked about intelligence earlier, that's true intelligence with a little 'i' - the understanding of what's going on on the ground and actually why an ivory tower model of "here's the answer" isn't going to work, particularly in something that is ultimately over a million and a half staff, 200 plus different NHS trusts with all of their own local kind of business practices, working practices, clinical needs, technology stacks, all of that. So I think it's a really unique kind of approach to it. 

I'm going to pivot now a little bit because hanging off that, you know there's always a tension between efficiencies and doing things once and then those local solutions.

And the new administration are very clear about pushing things down to local decision making where possible because typically you know best decisions are made closer to where risk realises, which is inevitably quite often not in national teams like ours. But at the same time, you know the Darzi review recently talks about moving from analogue to digital which leads you to kind of the needs of interoperability, the needs of public trust to make sure that the digital solutions are available, trusted and there when they need to be. That brings me to the thought about what national services we do deliver against that context of it's not always the right thing to do it once. Peter, I know that we do a huge amount of things from what we call the CSOC, but there's a lot more than just the kind of technical monitoring and threat hunting capabilities. Could you talk us briefly through actually what are all of the services that are available to people delivered through cyber operations?

Peter Robinson, NHS England:
Yeah, absolutely. There is a whole plethora of, almost an a la carte menu of, so many operations and so many services that are delivered nationally and it isn't just that technical as you've described. So going into sort of the non-technical side, we have so much training available that people can use. We have immersive Labs licenses nationally that anyone from the NHS can sign up to to get cyber security training, not just from a cyber professional but frontline training on our cyber awareness as well.

You have things like our cyber incident response exercises that you can use as well, so that's building upon the NCSC's exercise in the box, but there are 7 specific healthcare scenarios ranging from what happens if an incident happens at a GP surgery right the way through to an ICS wide level cyber incident. And these are there to test the resilience of BCP plans, essentially specifically looking at cyber. And what we've seen, we've done them when we've read these nationally, is that cyber is a clinical and business risk and it helps to test and exercise those plans and help them come up with improvements as well.

And we do so much as well on the people side. So we have our mentoring scheme nationally as well that people can sign up to to get NHS mentoring through cyber, as well as our Cyber Associates Network that aims to bring people together from different backgrounds to speak about the real issues of cyber security and bring together to tackle those issues as one.

Mike Fell, NHS England:
Amazing, and I think you as you talk through those, obviously they are centrally funded. These are things that are available to people in the NHS, organisations in the NHS trust at no cost, no direct cost to them. In some cases obviously there's technical implementation ones as well as the training and the awareness. We do offer the technical solutions, but I think that's a really helpful kind of overview.

And I know that quite often as we help organisations that have suffered some of the pain of cyber incidents, the realisation that there are these kind of platform capabilities available is a really important one and something that I know that we invest in making available and will continue to do. Not just because of the efficiency of doing something once, but in many cases because of the benefit of consistency or of bringing all that information together in one place. So thank you, and well done for remembering so many of the great services available as well.

Given that we've got the opportunity for a plug, hypothetically if any organisation heard of one of those things and thought actually yeah we want a bit of that, how is it that they would go about it?

Peter Robinson, NHS England:
Yeah, for sure. So often the term is "speak to Regional Security Lead" and that is absolutely one thing you definitely should do. So every single region within the country has a regional security lead. I'm privileged to be part of the Midlands region, but every region does have one and they're often a really good front door because they can offer that almost consultancy side of things and so work with you on your local security posture at the moment and then how can we, with our operation and our services, how can we complement what you've already got locally, how can we better serve you as an organisation? 

So that is a really good front door because it's that people side as well. It's that working with them on a jumping on a call with them or even meeting in person to go through that at a local level and to make sure that giving the services and the ability to say what can we help you with.

Our website is also full of all our services as well, split up into different sections as well. And for people into IG they're all CAF-aligned to our DSPT so it can also meet your compliance regulations as well. And yeah, the two ways I'd suggest: our website, our front doors, but also come speak to us because we love to - we take a lot of joy in speaking to people about our services and how can we help you, you know, reduce your cyber security spend but also be part of a national solution that's fantastic, in my biased opinion, but yeah.

Ryan Lee, NHS England:
I think it's important also to shout out to our service managers that across the business we've got. For example, the HSCN team - speaking to them and thinking about well, if I use a national service, a lot of the security is baked into it, a lot of the CAF outcomes, DSPT, all those things have been done on their behalf. And I think the shameless pluggers of all - the ideal world for me is as much as we can do nationally. I know the reports obviously focus locally, but if we can, as much as we can help nationally and then help the local people focus on their risk and harms to them and spend that money wisely on local controls for local kind of mitigation.

So I think shouting out to the HSCN teams where possible, being on the NHS Mail system, then all your NHS mail platforms, all your NHS mail workflows are going to be protected by us. And it's a robust level of service we're offering to those national systems such as threat intelligence, threat hunting, risk management, and loads and loads of controls to make sure those platforms are safe. So I think also yeah, speak to your regional leads about the whole picture, but also speak to your national service teams about "oh actually, what are you doing to secure this and what cyber security monitors are in place?" I think it's really important.

Mike Fell, NHS England:
Yeah, and I think arguably it's that which better-branded vendors might refer to as a platform offering. It is ultimately what we're doing there. It is that platform of the holistic bits that it doesn't necessarily answer every question for every person, but I absolutely endorse what you're saying there Pete as well about it being a conversation.

And I'll use that as my hook in to say you know there was a good few acronyms around there. With that, so IG being Information Governance and the DSPT being the Data Security Protection Toolkit, which is the framework, the self-attestation framework that we use to help people identify where the gaps are. And guess what? Many of these national services immediately answer those bits.

We also referenced another one, the CAF, the Cyber Assessment Framework. The NCSC - this is acronym soup today isn’t it - The National Cyber Security Centre's framework for looking at security outcomes, which we are now strategically aligning our DSPT, the Data Security Protection Toolkit, into. Which takes us into the territory, I think, of strategy. And as the person on the hook for setting the strategy of, you know, deeply, people-driven technical solutions that are aiming to meet national needs but local capability and local solutions where necessary, I'm really interested in what might be a tricky conversation about your thoughts on what you think the future looks like for the cyber security operations centre. So who wants to kick us off?

Anna Evans, NHS England:
Yeah, I'm happy to go for it. I think for me it kind of comes back to the point that Pete touched on earlier about keeping that relationship between the local organisations and then us as the national CSOC sort of as strong as possible. I think sometimes it can feel like the CSOC is engaging with local SOCs on what can be like the worst day of their year. I think it would be brilliant to see more engagement just in the sort of day-to-day and more opportunities to learn from them because every time I have a conversation with someone, I realise something that I hadn't realised, something new about the way that the NHS works, something about how their systems are configured that's incredibly important.

And I think, you know, within threat hunting and within the detect and respond team, such a critical thing is knowing what normal looks like. And I think every time you go and have one of those conversations with a local SOC analyst or someone who works in cyber within a trust, you're getting a better understanding of what normal looks like, which obviously helps you to spot when something is completely out of the ordinary.

Mike Fell, NHS England:
Yeah, and I can't be more proud of being surrounded by people who day in, day out are dealing with people who it is the worst day potentially of their career when they get a phone call or an email from yourselves. Very much in a supportive bit, but I think it's absolutely right that kind of personal nature of it. That yes, there's deeply technical solutions and technical work to be done, but it's all been driven by that and we see in successful incident responses the importance of those interpersonal relationships. Which is something it's probably harder to do strategically than say that we're going to go out and deliver this and change this and that. But I think you're absolutely bang on that it's a people sport. What else is there then?

Peter Robinson, NHS England:
Yeah, I mean I just touch what Anna said there. I think I just come back to when I was a SOC analyst for a few years and it was just seeing alerts come through and you got kind of like your stomach turns a bit because you see something and you know it's bad and you know it's going to lead to something a bit bigger. But then that's when you sort of step into gear with the role that we have and we're able to support those local organisations to ensure that they're able to respond to that as quickly as possible. And you know that's where the real reward is, to be able to help them, help the local organisations become secure from that threat.

And in terms of the future, I think for me, I often talk about the defend as one. That's one pillar in our cyber security strategy for 2030 and it's - I see when I was in the SOC, seeing custom detections being made at one organisation and then within 45 minutes everyone in the nation being protected from that same threat.

And it's for me as a regional lead, what I love to speak about is those adoption of central services. It's having those conversations and I just, I want that to get bigger, have more conversations like that to ensure that - also to hold us account as well. Like you know, we're not going to sit here and pretend like we're perfect. You know, we're not in that position where we have everything or have all that knowledge. That's why we need that support from the local to ensure that we're doing everything within our gift to support them and to make sure that we're doing right by those organisations. So I think for me it may be a bit more boring answer, but it is more of the same but to continue having those conversations and getting that feedback to ensure that we're delivering the best service possible for patient outcomes at the end of the day.

Mike Fell, NHS England:
Yeah, and that continuous improvement element that you were touching on there about, you know, as you say I think there's an analogy there between the junior analyst that is fearful the first time an incident comes in. The way that you get around that is not dealing with each incident as though it's the first, it's the repeatable processes, the documenting it and improving with it. What else is there Ryan? 

Ryan Lee, NHS England:
I'll challenge you because I said it would publicly. I'll come back to your analogy of the beating heart. You said the CSOC's the beating heart of the NHS and provides cyber security services. Well, obviously the heart is there to pump blood to everything and I think that the strategy for the future needs to be how do we get this thing that we've seriously invested in - quite frankly, the people with me are the experts on cyber threats to healthcare globally, not just nationally, not just the UK. We are one of the global leaders in threat hunting and detecting response and stuff like that. And any vendor you go to speak to, we are like - no one has as much medical signals that we do.

And I think it's getting that to the rest of the system. We see two million assets, we talk about two million users, there's five million assets out there. There's connected medical devices. How do we get all of our threat intelligence to the entire system? How do we get that lens over everything so we can help support those local risks and local defenders more? I think that's the future - it's how do we get that blood to everything and defend it. And it's a big challenge that might land in your plate.

Mike Fell, NHS England:
Yeah, and we love a good analogy and I think that is the perfect one, isn't it? I'd never thought about it in that way but yeah, the beating heart and I like that the arteries, the veins, they need to connect every part of the body and I think that's the opportunity with this, isn't it? And we talk about the importance of onboarding to national services. We see time and again where actually national services or the deployment of foundational controls like Peter was talking to multi-factor authentication, time and again we see that that could have actually helped with things.

So I think strategically, you're maybe not getting the artificial argument that you might be wanting on that. I do think yeah, we need to - and again my medical metaphors are not powerful enough but I'm sure that there are surgical procedures that can be undertaken either invasive or non-invasive to like open up those channels. And I think yeah, that's a really good steer as we kind of go into the spending review period that starts to look to the future.

So that you know, as the Darzi review kind of highlights that move from analogue to digital can be done in a way in which everybody has the trust, whether it be clinicians or whether it be the public, has the trust that they deserve in those digital solutions.

Great, well look guys, thank you. It has been an absolute privilege and a pleasure to spend a bit of dedicated time speaking to you all individually about the amazing things that you do, that I don't always get enough time to actually do and I certainly don't get enough time to just praise you for that and thank you personally.

For all of it that goes into all of those services that we've provided and the, you know, let's bring it back to where it started off here. There's 38,000 calls a day to ambulances of people that are again having one of the worst days of their lives, and without the hard work that you're doing, that isn't going to be maintained. There's more than 30 million people a year that are using the NHS app and increasingly for anybody that's used it, you'll see the increasing capabilities in there and the agility to kind of not have to sit on the phone and wait to ring your GP on a Monday morning when you want to. If you can just go on the App whenever you want and the work that you all do is absolutely critical to maintaining those, making it available and all of that comes around that.

So with no further ado, thank you again for the really good conversation. Thank you to all the listeners for joining us all today. Please don't forget to subscribe and follow wherever you get your podcast from so that you don't miss out on future episodes of The Cyber Sessions.