NHS Security: a Retrospective View

While this is probably of marginal interest to anyone outside the UK, even those who look upon the UK's National Health Service as convincing proof that state-sponsored healthcare is a Bad Thing, I had an interesting chat with Dan Raywood of SC Mag recently, which he subsequently wrote up as an article which is now accessible online.  Well, it was about me, so naturally I found it interesting. ;-)

While there are those who think that I've been in the anti-virus industry since mammoths roamed the Surrey hills (indeed, on a visit to India for AVAR a couple of years ago, I was treated with a reverence usually reserved for cattle), most of my computing career has actually been in medical informatics. Though (as you might expect from what I do now), documentation, security and systems/user support played a large part most of that time.

Dan was particularly interested in the period from 2001 to 2006, when I managed the Threat Assessment Centre for the National Health Service (not as different as you might think from what I do now). The NHS at the time was an interesting security challenge, with something like 1 1/4 million staff, around 3 million network nodes, and an infrastructure somewhere between the ossified and the anarchic.

That was also the period when I published my first major security book and learned that being a senior manager isn't the same as having real influence, especially in an environment where management usually means owning a relationship with an outsourced service rather than making use of your own technical skills. I wouldn't have missed the experience for the world, but I don't think I'd want to go back. Which is probably just as well, since I wasn't altogether uncritical, and if anyone still in the NHS actually read it, I'd be lucky to get a job jockeying bedpans in a nursing home, never mind a high level job in information governance.

In fact, I worked with some superb people in my time at what was then the NHS Information Authority, and I don't hold with the urban myth that if the NHS was run by "doctors and nurses" rather than "unnecessary management." The UK owes a great deal to its therapeutic frontline (which includes many more disciplines than you might think, from paramedics to therapists to psychologists to prosthetic specialists), but they're of little use without logistical and administrative support from the Cabinet Office and the Department of Health downwards. I'd like to think that the current UK government's drive to cut costs at all costs will take that into account rather than fall into the trap of thinking that you can outsource responsibility (and that applies in many areas, not just security), but I can't pretend to be confident.

I don't have any special knowledge of the internals of UK healthcare nowadays that isn't available to anyone who reads the newspapers, but the NHS has always been buffeted by political expediency, and I don't expect that to change now.

Thanks, Dan, for letting me express some of that in a very well-written article.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow