{"id":426,"date":"2017-04-05T09:27:44","date_gmt":"2017-04-05T08:27:44","guid":{"rendered":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/industry\/2017\/04\/05\/security-cloud-nhs\/"},"modified":"2018-09-07T02:55:05","modified_gmt":"2018-09-07T02:55:05","slug":"security-cloud-nhs","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/government\/2017\/04\/05\/security-cloud-nhs\/","title":{"rendered":"Security in the Cloud for the NHS"},"content":{"rendered":"

Security in the Cloud for the NHS – Current NHS cyber threat landscape<\/h2>\n

Welcome to the first blog of a new Microsoft UK Health series \u201cSecurity in the Cloud for the NHS\u201d. We understand you\u2019re hearing a lot of things that make you nervous about moving to the cloud and meeting compliance standards. The UK healthcare industry has been victim of some incidents of ransomware that have threatened hospital operations and the ability to provide timely care. According to Gartner<\/a>, security concerns are still the biggest reason organisations avoid the public cloud. They hear about stolen patient records, breaches in security, and ransomware.<\/p>\n

With this blog series, we want to raise awareness on the current security landscape and regulatory framework as well as explain our \u201cprotect<\/strong>, detect<\/strong>, and respond<\/strong>\u201d approach to security threats. This is an industry-standard mind-set, and the one we use to manage our platform operations and we recommend this approach to our customers.<\/p>\n

\"Microsoft's<\/p>\n

A lot of technology to protect<\/strong> information is readily available. Usually these protection mechanisms protect endpoints like devices or applications. But here\u2019s the problem: most companies have already been breached\u2014they just may not know it yet. Hackers can sit inside a company\u2019s network for 200 days or more before anyone notices. Protection needs to be stronger across all devices and endpoints. You need stronger doors and stronger locks to keep the bad guys from getting in.<\/p>\n

That said, even with protection, the bad guys can still get in. Then what? You need a way to detect<\/strong> intrusions. This is similar to putting up cameras to spot criminals breaking into your house. Detection, however, requires sophisticated resources\u2014not just tools, but access to millions of signals plus the advanced algorithms and computing power to monitor them, interpret them, aggregate them, and report them as <\/em>attacks are happening. Microsoft has machine learning capabilities built from our considerable expertise, experience, and research investments.<\/p>\n

Finally, once an attack has been detected, you need the ability to respond<\/strong> very quickly, ideally in an automated way, to control the damage. For example, automatically recognising \u201cimpossible travel<\/em>\u201d\u2014logging in from Stoke and then logging in from China an hour later\u2014and requiring a second authentication attempt, with Multifactor Authentication<\/em> enabled, before allowing access. Or, pushing a required update to users of your application after identifying a potential exploit during an internal penetration test.<\/p>\n

Current UK cyber threat landscape<\/h2>\n

Figures from Get Safe Online<\/a> reveal that a staggering \u00a310.9 billion was lost to the UK economy as a result of fraud, including cybercrime, in 2015\/16.<\/p>\n

In last for years, the rate of NHS cyber-attacks quadrupled<\/a>. The Freedom of Information (FoI) investigation examined spending, defences and the manner of attacks and despite the increase in cyber-crime, the report uncovered that overall spending on cyber-security across the 75 trusts and foundation trusts providing this data had remained at around \u00a318m since 2013.<\/strong> \u00a0Meanwhile, cyber-attacks, such as ransomware, had increased from 1,565 reported cases in 2013\/14 to 7,178 in the last financial year. Unsuccessful attempts, including hundreds of thousands phishing attempts, were not included.<\/p>\n

The Information Commission Office (ICO) “Data Security Incident Trends<\/a>” shows that the UK Health Sector is accountable for the most data security incidents. A particular risk factor<\/strong> for incidents within this category is the use of \u201cautocomplete\u201d rather than typing in an individual\u2019s full name into the \u201cto\u201d field. Often, the sender of the email will not realise their error until alerted to it by the recipient. Microsoft secure posture can help reduce the impact of these accidents.<\/p>\n

Our commitment to trusted cloud<\/h1>\n

When it comes to customers feeling secure about the cloud, trust must be earned. Microsoft has made a deep commitment to trust that can be summarised on these 4 points:<\/p>\n

    \n
  1. The first trusted cloud principle is Security<\/strong>. Microsoft cloud services are designed, developed, and operated to help ensure that confidentiality, integrity, and availability of your data is completely secured.<\/li>\n
  2. Next is Privacy<\/strong>. We believe that you own your data. You should be able to keep your data. Your data is not ours to be used. We want to provide all of our services while keeping your data private to you.<\/li>\n
  3. We strive for Transparency<\/strong>. We want you to understand how we are running the services and how, and where, your code and data is used and stored. We want to ensure that we are as transparent as possible with all of that information.<\/li>\n
  4. We also focus on Compliance<\/strong>. We work with regulators to make sure that we are in compliance with regulations such as GDPR<\/a>.<\/li>\n<\/ol>\n

    At Microsoft, we are committed at empowering every individual and organisation in the world to achieve more. Working with organisations that span all the sub-verticals in health, Microsoft have made a deep commitment in earning your trust<\/a> as an advisor in the healthcare industry.<\/p>\n

    This is why we are working with our partners and with Intel to conduct a Healthcare Security Readiness Programme<\/strong> to help your Trust to understand where it stands in terms of maturity, priorities and breach security capabilities, compared to the Healthcare industry across eight types of breaches and 42 security capabilities.<\/p>\n

    The Report<\/h2>\n

    Together with Intel and our Partners, we are running a global program offering a complimentary and confidential Healthcare Security Readiness<\/strong> Programme<\/strong>.<\/p>\n

    These engagements involve one-hour meeting (face to face or over Skype for Business) in which you will receive a complementary and confidential report that shows how your organisation’s security compares with the broader healthcare industry. The readiness programme can be tracked to key regulations and standards, enabling participants to see how to address any gaps to help with compliance.<\/p>\n

    Some interesting trends have started to emerge 19 organisations that have already conducted the programme in the UK:<\/p>\n