Weekly podcast: US Defense Department, MOD and NHS

This week, we discuss data breaches at the US Department of Defense and the UK’s Ministry of Defence, and the cost of WannaCry to the NHS

Hello and welcome to the IT Governance podcast for Friday, 19 October. Here are this week’s stories.

The US Department of Defense is investigating a major third-party data breach in which the travel records of military and civilian personnel – which included their personal information and credit card data – were compromised.

According to an anonymous official interviewed by the Associated Press, “the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues”.

Lieutenant Colonel Joseph Buccino, a Pentagon spokesman, confirmed that “a single commercial vendor that provided service to a very small percentage of the total population” was hacked.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” he continued.

No other details were made available and the vendor was not named.

Cyber security will be much on the minds of Defense Department staff: last week the US Government Accountability Office published a report that warned of weapon systems’ vulnerability to attacks, and criticised the Pentagon’s laggardly approach to identifying and closing security gaps.

Still, this breach is at least relatively minor compared to previous incidents. US listeners especially will doubtless remember 2015’s data breaches at the Office of Personnel Management, in which 21.5 million former, current and prospective federal employees saw their personal information compromised – including those in the Pentagon.

Cyber security is a concern for all governments. Here in the UK, Sky News’s Alexander Martin reports that the Ministry of Defence suffered 37 data breaches last year, in which it “and its partners failed to protect military and defence data”.

According to heavily redacted MoD reports obtained by Sky, these incidents included “defence information being left unprotected to foreign states’ surveillance of internet traffic”, “computer peripherals which hadn’t been checked for espionage malware [being] connected to classified systems, […] devices, documents, and rooms […] left exposed to unauthorised parties on multiple occasions”, and incidents in which sensitive equipment was taken overseas.

The MoD declined to “publicly confirm details of the breaches beyond their existence”, however, as it would “be likely to increase the risk of a cyber attack”.

It said: “The MoD takes the security of its personnel and establishments very seriously but we do not comment on specific security arrangements or procedures.”

Sticking with the public sector, the Department of Health and Social Care issued a report last week that set out the progress it’s made in its efforts to improve the health service’s IT infrastructure in the wake of last year’s WannaCry ransomware outbreak, which affected 81 NHS trusts, a further 603 primary care and other NHS organisations, and 595 general practices.

According to the report, the cost of WannaCry to the NHS in terms of lost output and IT support was £92 million, the vast majority of that figure – an eye-watering £73 million – covering IT costs.

Much has been written about how woefully underprepared the NHS was for the attack – including a National Audit Office report, which noted that the Department of Health (as it then was) was warned “that cyber attacks could lead to patient information being lost or compromised and jeopardise access to critical patient record systems” a year before WannaCry.

As part of its response, the Department signed a deal with Microsoft this May to upgrade the NHS’s IT estate to Windows 10 as part of a £150 million investment over three years to bolster its defences.

However, plans for all NHS organisations to achieve Cyber Essentials Plus certification, as set out in February’s Lessons learned review, seem to have been cut back: last week’s report states that only 10 “accelerator sites” would “aim” to achieve certification by March 2019.

The reason for this delay is given in the Health Service Journal: NHS Digital is apparently reluctant to spend the £800 million to £1 billion required to bring the NHS up to standard.

According to documents released to the journal under the Freedom of Information Act, although NHS Digital “believes using [Cyber Essentials Plus] as a benchmark is useful, getting all providers to accreditation would not be value for money”.

As we all know, NHS funding is, of course, a political issue, and for each person who understands the value of technology to the service there is another who wants to know why trusts should spend money on computers instead of nurses.

However, when you look at the costs it should be perfectly clear that for information security – as well as healthcare – prevention is better than cure.

Talking of prevention, here’s your weekly reminder that data breaches are such a regular occurrence nowadays that it’s downright reckless not to prepare for them. If you want to assess how ready your organisation is – compared with the ICO’s breach reporting requirements – and learn about the steps you can take to improve your security, why not take our free breach ready test? Simply answer a few questions and we’ll email you a detailed report, providing advice on the next steps to take to better prepare for a data breach.

Visit our website and take the quiz now >>

Finally, I asked last week whether anyone objected to – or had any particular opinion about – our admittedly rather idiosyncratic theme tune. I was delighted beyond measure to receive several responses. I’ll leave the consultation period – if I can call it that – open for another week in case anyone else wants to comment, and we’ll decide whether to change it next week. If you don’t know what I’m on about, listen to the beginning of last week’s podcast.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.