Sign in / up

back to article NHS trusts ‘complacent’ on cloud app security risks

Almost half of NHS Trusts make no attempt to monitor cloud app usage, according to the results of a Freedom of Information request. The same FOI by cloud security firm Netskope also revealed that fewer than one-fifth of NHS Trusts have visibility into all cloud app use, leaving sensitive data vulnerable to both risky apps and …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    sounds about right

    At this particular NHS trust , all you have to do to access whatever the hell you want on the internet is to go to internet settings and untick a few proxy related boxes, it then appears you can walk around the proxy , unhindered by "Smoothwall" tm

    Reminds me a bit of that Toll booth they set up in the middle of nowhere in "Blazing Saddles" to slow down the enemy hoardes.

    although to be fair , Onedrive dosent seem to be working anymore , they might have blocked some ports or something more locally , gimme a couple days on that one...

    2 0 Reply
    1. Halfmad
      Reply Icon

      Re: sounds about right

      Smoothwall can be put in as a transparent proxy if you want, that way it doesn't matter what proxy settings the browser has it goes through Smoothwall regardless.

      Users shouldn't be able to disable the proxy though if group policy is doing it's job.

      2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: sounds about right

      Sounds like there should be a few vacancies going there (not least of all chief exec if your statement is right). Any chance of naming the trust?

      2 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    We've simply banned it.

    We can't control it so we've written it into all our policies that we don't do cloud at the moment. Anyone using a cloud service of any kind is breaching policy, it's the only way we've found to realistically ensure the organisation is covered but let's face it staff take matters into their own hands if it's vaguely inconvenient to them..

    That being said more and more services are moving to cloud based solutions so we can't refuse to use them indefinitely. Two of our three vendors tendering for an important clinical system now only support a solution that is partially cloud based.. we're slowly being backed into a corner.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: We've simply banned it.

      You are not backed into a corner at all. If the system doesn't meet the required security requirements it fails the bidding process and you go with a system that doesn't have a problem.

      1 1 Reply
  3. Anonymous Coward
    Anonymous Coward

    “While the NHS has shown great commitment to digitally transforming the patient experience, our data shows a concerning lack of awareness – both in terms of the potential security threats stemming from the cloud and also the data being stored and shared by employees through cloud apps."

    Most Trust IT departments are well aware of the risks involved, but it's hard to do anything about it where there is zero budget to implement a solution, the government keep pulling money from the NHS, and what money is available is prioritised for patients, which at the end of the day is most important.

    Think back to the "encryption policy" early days, for some trusts it was cheaper to pay the fine if data was lost than to fork out for expensive full disk encryption or encrypted pen drives.. the unfortunate reality is, for most companies they see the NHS as a blank cheque book for making money..

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Not just NHS. Governments are the ultimate client.

      0 0 Reply
    2. Doctor Syntax Silver badge
      Reply Icon

      "what money is available is prioritised for patients, which at the end of the day is most important."

      The implication of this is that the cloud services that can't be afforded don't serve a patient care function. If so then this sound like a sensible priority.

      0 0 Reply
  4. x 7

    either the survey was badly worded, or whoever answered it hasn't a clue.

    Just about every NHS application used by the NHS is remotely hosted. No way round it

    0 1 Reply
  5. M7S

    Subhead - "Do we block unsanctioned ones?"

    Perhaps the problem is project managers or department heads coming from a different environment.

    In the finance industry, you are not allowed to deal with a sanctioned country/company/person. Fines, criminal charges etc as a result.

    If I understand the article correctly, in IT dealing with personal data, you should preferably only deal with a sanctioned app, quite a different implication being given to the term.

    Simples.

    Now I just need to explain to my little one the difference between soluble and insoluble and then compare this to flammable and inflammable....

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Subhead - "Do we block unsanctioned ones?"

      A very large part of the problem is that the NHS is run by people who are scared of Doctors/Consultants and with good reason since they have all the power. If you try and do something as sensible as restricting access to Dropbox, some "innovator" will give a reason to "need" it and shout until they get it no matter what the actual cost.

      IT and other operational/admin areas of the NHS end up taking the brunt of cuts and so NHS organisations end up wasting vast amounts of money getting middle/senior management grades doing admin work whilst "innovation teams" come up with bizarre and expensive "new ways of working" that cannot be implemented because someone cut the budgets in the operational areas.

      Everything that the NHS (and virtually all other organisations) does it underpinned and made more efficient by IT (even after all the cockups!) and yet it still isn't generally recognised as a front-line, necessary service, only as a financial drag. Drugs and nurses are "required" but no mention of using information management to target staffing, reduce patient no-shows, etc. etc.

      The vendor mentioned here is Netskope and they have an excellent product - one that a certain very large NHS organisation's IT department would love to implement to help manage all sorts of Cyber and governance risks and to also optimise network use and save money in other areas. But it cannot be done because there is no money and no people to do it - and no willingness by senior leaders to recognise the problems within their organisation beyond the political headlines.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like