AXREM Insights
AXREM Insights bringing you insights from within the industry. We'll be talking to our team and our members and delving into the people behind the products and services.
AXREM Insights
S6 E4 Cybersecurity in Healthcare: Frontline Defences and Industry Responsibility
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of AXREM Insights, Sally Edgington is joined by Future Leaders Evie Eccles and Luke Wallin to explore the critical issue of cyber security in healthcare. Their guests, Martin Jarvis from the National Cyber Security Operations Centre at NHS England and Bob Child, AXREM Cyber Security Working Group convener, offer a detailed look into the increasing cyber threats faced by the NHS. Martin discusses the nature of current attacks, the role of credentials in major breaches, and how the Cyber Security Operations Centre responds to incidents with rapid coordination, technical investigation, and clinical risk awareness. Bob complements this with an industry perspective, highlighting why suppliers must prioritise security, keep systems updated, collaborate effectively, and align with NHS England’s cybersecurity charter.
The conversation also explores NHS England’s efforts to raise awareness, the importance of partnership with suppliers, and practical guidance to help organisations strengthen their defences. From MFA and patching to log retention and incident planning, Martin outlines the everyday, methodical work required to stay ahead of attackers. The episode finishes on a lighter note with the podcast’s signature quirky question, letting listeners learn a little more about the guests outside their cyber security expertise. The result is a comprehensive and accessible discussion that underscores cyber security as not just a technical requirement, but a shared responsibility tied directly to patient safety.
The RCR Conference takes place on the 29th and 30th of June 2026 at the QEII in London. you can find out all about it here. Don't forget to ask about AXREM member discounts
Thanks for listening to this week's episode
To find out more about AXREM check out our website HERE
If you are interested in joining AXREM as a member CLICK HERE
To contact us CLICK HERE
And join us next time for more insights from industry.
Please note Transcripts are AI generated and might not be an accurate representation of what's being side this is a guide to help those who may be hard of hearing.
[00:00.000 --> 00:05.000] Welcome to Axrem Insights, developing healthcare through medtech and innovation.
[00:05.000 --> 00:11.000] Join Melanie Johnson and Sally Edgington as they talk with our industry leaders and experts.
[00:11.000 --> 00:15.000] Hello and welcome to Axrem Insights Cybersecurity.
[00:15.000 --> 00:23.000] I'm Sally Edgington and I'm here with my guest co-hosts Evie Eccles and Luke Wallin, Axrem Future Leader representatives.
[00:24.000 --> 00:33.000] Today we have the pleasure to be speaking to Martin Jarvis, Incident Management Leader at the National Cybersecurity Operations Centre at NHS England
[00:33.000 --> 00:41.000] and Axrem Cybersecurity Working Group convener Bob Child, who is also the Chief Commercial Officer at Soliton IT.
[00:41.000 --> 00:45.000] Welcome Martin and Bob and thank you for being on our show today.
[00:45.000 --> 00:51.000] Let's start by handing over to you to tell us a bit about yourself, what's your story and how did you end up here today?
[00:51.000 --> 00:55.000] So we'll start with Martin if that's okay.
[00:55.000 --> 01:02.000] Yeah, good morning and thank you for having me on the podcast today and hopefully you'll find what I've got to say fairly interesting.
[01:02.000 --> 01:06.000] A little bit about my professional career and then I can talk about a little bit about me personally if you like.
[01:06.000 --> 01:10.000] I've been with the NHS Cybersecurity Operations Centre for nearly five years now.
[01:10.000 --> 01:19.000] It's absolutely flown by, it's been a really, really busy time and I currently lead the incident management team within the Cybersecurity Operations Centre.
[01:19.000 --> 01:28.000] So we manage very small incidents right up to really serious incidents where you've got an attacker in the environment, hands on keyboard.
[01:28.000 --> 01:39.000] The cyber security incidents that we kind of detect come from all across England and across NHS organisations.
[01:39.000 --> 01:44.000] So we have a lot of coverage and we see a lot of different things.
[01:44.000 --> 01:49.000] So it's a really interesting and it's a really dynamic place to work in.
[01:49.000 --> 01:54.000] One of the key things of course as well is the people that we work with and the people that we work for.
[01:54.000 --> 02:04.000] And in the back of our minds always there's that sort of risk to patient safety, clinical impact and business critical systems that we have to bear in mind.
[02:04.000 --> 02:08.000] Previously to coming into this job I was a police officer of 20 years.
[02:08.000 --> 02:20.000] So some of my career involved managing murder investigations and leading investigations into armed robberies, frauds, extortion, drugs trafficking.
[02:20.000 --> 02:24.000] One question people like to say is well how did you get into cyber?
[02:24.000 --> 02:31.000] I mean it started when as I've mentioned we have investigated drugs trafficking in and around West Yorkshire area.
[02:31.000 --> 02:39.000] And we kind of wanted to go up a level from getting just the dealers on the streets to the people who were behind that.
[02:39.000 --> 02:48.000] And to do that we had to use data, phone data, computer data, other types of data that's available.
[02:48.000 --> 02:55.000] Because as you'd imagine people won't come forward and give statements and evidence.
[02:55.000 --> 03:04.000] You can get your sort of dry type forensics and stuff but a lot of it was done in a conspiracy style fashion investigation over the phones.
[03:04.000 --> 03:12.000] And that is essentially what kind of really got me into the cyber element of things because we're working a lot with computers.
[03:12.000 --> 03:22.000] Personally myself outside of work well like anybody in cyber I kind of do a lot of studying to keep up to date and to keep current with things.
[03:22.000 --> 03:25.000] And because I find the subject interesting.
[03:25.000 --> 03:36.000] And also I have a family and I have a very young grandson and he keeps me busy because I take him to football and to other activities as well.
[03:36.000 --> 03:42.000] So when you see those adverts where you say keep fit for the kids and stuff like that it's very true.
[03:42.000 --> 03:47.000] They're very energetic and you've got to do a lot of running around to keep up with them.
[03:47.000 --> 03:49.000] So that's me in a nutshell.
[03:49.000 --> 04:00.000] Thanks Martin. It sounds like you're a very busy man and it sounds like you've got lots of experience of working in fast paced environments and I'm sure it's rewarding catching all the baddies and the criminals.
[04:00.000 --> 04:07.000] You know so you're still obviously using your background today so that sounds fantastic.
[04:07.000 --> 04:12.000] I'm now going to hand over to Bob. Bob we've had you on before but come on tell us your story.
[04:12.000 --> 04:16.000] Thank you Sally. Martin very interesting.
[04:16.000 --> 04:24.000] I'm Bob Child. I've been in radiology business as a supplier for over 35 years.
[04:24.000 --> 04:29.000] I know I don't look that old but I am.
[04:29.000 --> 04:46.000] Yeah, I think the one thing where I started I actually started as a credit controller collecting money and moved my way through my career through service in one of the larger, one of the larger members of our association.
[04:46.000 --> 05:04.000] I moved through the service channels and into service marketing and service business, and then was the service director. Probably the biggest claim to fame at that point was changing from 13 branches into a call center and that move at that time.
[05:04.000 --> 05:21.000] So at the same time as that, in 2003 I headed up the national program for that company which was obviously the change from film to digital and I worked in the London region with our LSP provider BT.
[05:21.000 --> 05:34.000] From that, obviously, I got into all the various areas of contract management and security management, etc. As part of rolling out that recent tax program.
[05:34.000 --> 05:48.000] And that's kind of where I started with cybersecurity. In them days, so the security obviously wasn't anything like today, but there was still obviously things that we had to do with the various trusts to make things happen.
[05:48.000 --> 06:08.000] And as Martin said it's really just growing from that year on year. Yeah, we've seen new rules and regulations adopted by the NHS. And of course, you know, now we sit here today, and the threat of cybersecurity is just incredible.
[06:08.000 --> 06:20.000] When to try and give you some numbers are just jotting down a few numbers that were passed to me. And I think this is its own of why this is so important to suppliers.
[06:20.000 --> 06:42.000] So, just giving you a thing on the NHS Act, for instance, there's 36.3 million registered users 47.3 million logins were done in 2024, which is equivalent to 75% of the adult population that use the NHS app.
[06:42.000 --> 06:49.000] In other areas, there's 1 million users signed up to register for GP service.
[06:49.000 --> 07:01.000] The big one probably relates to me is 50% of incidents with portable under this regs since 2018 have been related to supplier systems.
[07:01.000 --> 07:23.000] And I think, as you can see from that perspective, that is why cyber is so important to us as suppliers. And as part of our actual manifesto. This is one of the headlines that we are obviously trying to do whatever we can do to help the NHS and NHS England and the National Cyber
[07:23.000 --> 07:32.000] Centre to work together to remove the threat. But obviously, it's an ongoing threat, and it's an ongoing challenge.
[07:32.000 --> 07:46.000] Thanks, Bob. I've just wrote three things down while you were talking. I've written down that you're our Carol Vorderman of Axrem with all your stats and figures, and I wrote down that you're our encyclopedia of our industry and Axrem.
[07:46.000 --> 08:00.000] And, and also that you've been such a great voice and advocate for cyber security for Axrem over the last couple of years and got us to a really good place in horizon scanning and making sure we're speaking to the right people like Martin.
[08:00.000 --> 08:11.000] So cyber security and healthcare isn't just a technical challenge. It's a patient safety imperative as threats growing complexity and scale and the NHS faces mounting digital pressures.
[08:11.000 --> 08:29.000] Axrem continues to advocate for stronger defences, smarter partnerships and greater public awareness. With that in mind, let's dive into some pressing questions about NHS readiness, industry responsibility, and how collaborative action can bolster security across the entire
[08:29.000 --> 08:42.000] healthcare ecosystem. So how worried should our members be that there might be a large scale attack on the NHS? And I'm going to actually put that straight to Martin if that's okay.
[08:42.000 --> 08:55.000] Okay, I want to start by saying the NHS is constantly under attack. So when we see a lot of these incidents in the news, I won't name them, but I think we probably know about some of the current ones.
[08:55.000 --> 09:11.000] We're constantly defending against those type of attacks. If I boil it down to kind of what we see in a typical month, we manage approximately 90 confirmed security incidents and three of those were serious incidents.
[09:11.000 --> 09:26.000] So they had impact upon the NHS organizations. It is an ongoing threat. We shouldn't we shouldn't be complacent. We've all got everybody's got a part to play. And some of these can come via the supply chain as well.
[09:26.000 --> 09:36.000] So this is why I always kind of say it's really good to have those good relationships and that good understanding of your supply chain and who's in your supply chain.
[09:36.000 --> 09:50.000] What I will say is when we see the attacks, the majority of them are financially motivated. So what they're looking for is low hanging fruit. And what I mean by that is I'll go back to an example from my policing days.
[09:50.000 --> 10:02.000] When we used to see burglaries, a lot of the burglaries happen because people would walk through the streets at night and try insecure doors and windows and then gain access to the house that way.
[10:02.000 --> 10:13.000] They weren't looking for the for the ultimate challenge. They were just looking for whatever's easiest. And the way these models work is, you know, once access is achieved and they sell that on.
[10:13.000 --> 10:26.000] This is why we're pushing things all the time, like the high severity alerts that we do when, you know, these critical vulnerabilities are announced, because like I say, the attackers are looking for an easy option.
[10:27.000 --> 10:40.000] And if you got something exposed to the Internet, they will find it. But having said that, we've got a great team here within Cyber Security Operations Center and we're here and ready to support NHS organizations.
[10:40.000 --> 10:50.000] So, Mike, would you say the majority of the attacks in the form of phishing or are we being attacked in a different sort of sort of way?
[10:50.000 --> 11:01.000] Yeah, so phishing is a big one. Vulnerabilities. So on systems is another way that attackers kind of kind of getting access to systems.
[11:01.000 --> 11:08.000] At the minute, one that is pointing sort of like your adversary in the middle and that comes via way of phishing.
[11:08.000 --> 11:16.000] They're trying to get around the multifactor authentication by getting tokens and things like that through that method.
[11:16.000 --> 11:27.000] But what we see attacks coming by way of is that the most serious ones that really impact NHS organizations are when attackers obtain credentials for valid accounts.
[11:27.000 --> 11:34.000] So credentials are really the key and really the pinch point for any attacker.
[11:34.000 --> 11:40.000] That's what they kind of need to go on to do those really bad things that we see.
[11:41.000 --> 11:48.000] OK, so once they've acquired these credentials, they've got access to the system and then they can really wreak havoc.
[11:48.000 --> 11:52.000] Yeah, that's right. Yeah. Great. Well, I've got a follow on from that then.
[11:52.000 --> 12:04.000] So how is training NHS and partner companies in protecting those credentials? Is that something that you're working on?
[12:04.000 --> 12:07.000] So we don't work on kind of the training side of things.
[12:07.000 --> 12:13.000] We do obviously lots to kind of try and get the message out there and try and get that understanding.
[12:13.000 --> 12:17.000] And that's something that we're working on all the time, trying to share that information.
[12:17.000 --> 12:23.000] And I'll probably go into that a bit later on in the podcast of the kind of things that we do do in that area.
[12:23.000 --> 12:29.000] But as you know, I kind of go back to everybody's got a part to play whatever role you're in.
[12:29.000 --> 12:36.000] And I think that awareness is really the key because because we see it every day,
[12:36.000 --> 12:40.000] because we're sort of I'll say we're on the front line because we're seeing it every day.
[12:40.000 --> 12:43.000] We can understand that the magnitude of it.
[12:43.000 --> 12:49.000] But maybe in other areas of the business, you don't understand maybe how susceptible you potentially are to a cyber attack.
[12:49.000 --> 12:55.000] Yeah. And I think that our members are aware and are worried about an attack.
[12:55.000 --> 13:00.000] And I'm sure, Bob, you'll have something to say about this because we talk about it all the time about, you know,
[13:00.000 --> 13:03.000] what is the responsibility of suppliers in the event of attack?
[13:03.000 --> 13:09.000] And I think that's probably your biggest concern, you know, if there was a huge attack.
[13:09.000 --> 13:12.000] So, Bob, please do come in.
[13:12.000 --> 13:23.000] Yeah, I think if I look at it, to me, it's probably about the core principles that you need to follow.
[13:23.000 --> 13:29.000] So if I look at it from what doing the work with Axran with all of our members,
[13:29.000 --> 13:38.000] there's a number of core principles and of course, each company's have their own rules and their own way of dealing with such attacks.
[13:38.000 --> 13:46.000] So for me, you know, the core principles we've come up with just to share our rapid and accurate information sharing.
[13:47.000 --> 13:59.000] So the idea being that if there is an attack and you believe this will affect other members to actually share that you believe an attack is happening with Axran,
[13:59.000 --> 14:04.000] that then can be passed and warn other members as soon as you're aware.
[14:04.000 --> 14:11.000] We have proactive security. So members must commit to doing continuous updates.
[14:12.000 --> 14:17.000] You know, all of the patching of systems, et cetera, having the right levels of software.
[14:17.000 --> 14:26.000] We were continually asked to keep software levels that were well below the current by the NHS.
[14:26.000 --> 14:31.000] And that needs to change because, as Martin said, that's your low hanging fruit.
[14:31.000 --> 14:34.000] That's where your weakness is. That's your way in.
[14:34.000 --> 14:38.000] So it's very important that everyone does this together.
[14:38.000 --> 14:45.000] A collaborative response. So if you're whether you're a large corporate or a small corporate,
[14:45.000 --> 14:52.000] you know, to come together and as one and share what you know and what's going on,
[14:52.000 --> 14:56.000] because I think it really helps people in the way that they would manage your response.
[14:56.000 --> 15:02.000] And also it helps the NHS. We've put together a structured escalation.
[15:02.000 --> 15:10.000] So again, for the NHS and for Martin's team, there's one point of contact to all companies within Axran,
[15:10.000 --> 15:13.000] which means you haven't got to talk to 70, 80 companies.
[15:13.000 --> 15:20.000] I know we've got over 100 members now, but, you know, typically you would hope not everyone would be affected.
[15:20.000 --> 15:26.000] But again, having one path of escalation that can then be fed down really saves a lot of time.
[15:26.000 --> 15:35.000] And finally, probably and more importantly, is the national alignment with the NHS cybersecurity charter
[15:35.000 --> 15:42.000] and NCSC's incident coordination and, as Martin said, public awareness and education.
[15:42.000 --> 15:48.000] Because I think making everybody aware of these risks and talking about it
[15:48.000 --> 15:52.000] raises the profile and the threat of cybersecurity.
[15:53.000 --> 16:01.000] So I think, as I say, for me, that captures everything that we as suppliers and we as the NHS
[16:01.000 --> 16:08.000] and our trusts and our partners in NHSC need to how we need to work in partnership and together.
[16:09.000 --> 16:12.000] Absolutely. And I think we've seen that in our cybersecurity group.
[16:12.000 --> 16:17.000] It's become a real collaborative group across our whole membership.
[16:17.000 --> 16:21.000] And like you say, we're trying to streamline those communications for members.
[16:21.000 --> 16:24.000] Right, I'm now going to hand over to Luke for the next question.
[16:25.000 --> 16:29.000] So it's similar to what we've been speaking about. It's a question for you, Martin.
[16:29.000 --> 16:35.000] In the event of an attack, what's the plan? What's the approach from NHS England?
[16:35.000 --> 16:41.000] Yeah, so, I mean, I can talk about a couple of aspects here.
[16:41.000 --> 16:49.000] So we as a cybersecurity team are always ready to kind of support NHS organisations in the event of an attack.
[16:49.000 --> 16:52.000] And we're very used to managing these situations.
[16:52.000 --> 16:57.000] I think we kind of bring a calm head and a little bit of a sense of direction when we come,
[16:57.000 --> 17:05.000] because you can imagine for most people, this is a really unusual or a situation that you don't normally face.
[17:05.000 --> 17:07.000] And we absolutely appreciate that.
[17:07.000 --> 17:10.000] So we offer NHS as much support as possible.
[17:10.000 --> 17:19.000] And so the first thing we kind of do is we get into contact with the organisation that's impacted and we will assess the information.
[17:19.000 --> 17:24.000] And then we can kind of understand the level of resourcing that is going to be required to support the organisation.
[17:24.000 --> 17:26.000] And then we'll begin to manage coordination.
[17:26.000 --> 17:33.000] So that would be probably done by somebody like me getting to understand, you know, who are the key stakeholders and who do we need to have around the table?
[17:34.000 --> 17:41.000] And when we're pulling people together, you know, we're making sure we're getting the right people at the table as well.
[17:41.000 --> 17:45.000] So we can be effective as possible.
[17:45.000 --> 17:48.000] So that's people from different areas of the business know.
[17:48.000 --> 17:54.000] So when we have that initial meeting, we'll kind of set out what we know and then try to ascertain, you know,
[17:54.000 --> 18:01.000] So what is the impact of this on the systems to the business and to patient to patient care?
[18:01.000 --> 18:12.000] And then we can decide in conjunction with the impacted organisation what the best course of action is here because there's always those kind of risk based decisions to make.
[18:12.000 --> 18:16.000] So, for example, if you wanted to say, let's isolate these key assets.
[18:16.000 --> 18:22.000] Well, is is an actual option because you might be preventing patient care in some way.
[18:22.000 --> 18:25.000] So we've got to be cognisant of that.
[18:25.000 --> 18:31.000] So we have our telemetry and information that we gather within the cyber security operation centre.
[18:31.000 --> 18:42.000] But sometimes that that might not be enough because, as you imagine, you know, beyond that, there's lots of other information that we can use and gather.
[18:42.000 --> 18:51.000] And what we'll try and do is we'll try to get that organisation as secure as possible to stop the attacker from from getting in.
[18:51.000 --> 18:56.000] You know, we're going to then start to kind of pull in assistance.
[18:56.000 --> 19:04.000] We have a computer incident response team who can do digital forensics and we're going to get boots on the ground and get to grips with this.
[19:04.000 --> 19:11.000] And then we can start getting people briefed. We can get clinical support, IG support, com support.
[19:11.000 --> 19:16.000] So, you know, all these different aspects and bringing people together.
[19:16.000 --> 19:23.000] I think one of the key things as well is if you imagine when you're hit by a cyber security incident, the question must be, well, where do I start with this?
[19:23.000 --> 19:28.000] And I think we can kind of get those answers for you as quickly as possible.
[19:28.000 --> 19:34.000] So you're not because resources are so finite. So we're going to do things at the right places.
[19:34.000 --> 19:41.000] We'll try and keep the attacker out, contain the situation, and then we can we can start to investigate.
[19:42.000 --> 19:52.000] Now, if it was a more wide scale attack that was across the country, this is when sort of NHS England would get involved.
[19:52.000 --> 19:59.000] And then our resilience teams who are really, really experienced in managing these sort of wide scale incidents would become involved as well.
[19:59.000 --> 20:08.000] So, again, bringing different people in and then we'll bring in law enforcement, NCSC and other partner agencies as well to support.
[20:08.000 --> 20:16.000] So we're quite well honed to come and support you and and give you advice and guidance as well.
[20:17.000 --> 20:27.000] And can I just say, I think that that's really reassuring to companies to know that there's that support out there because I think it is kind of the fear of the unknown is if there's an attack, you know,
[20:27.000 --> 20:33.000] we've seen obviously there's been big national companies, you know, like M&S and other companies like that.
[20:33.000 --> 20:36.000] And you can see the massive impact it's had.
[20:36.000 --> 20:46.000] And in our membership, I would say that a lot of our obviously the big companies that do CT and MR, they connect to systems.
[20:46.000 --> 20:56.000] But I would say the more vulnerable companies are probably a lot of SMEs that are the kind of imaging IT companies, all the PACs and RIS and things like that.
[20:56.000 --> 21:00.000] So I think it is very reassuring to know that there is all of that support out there for them.
[21:00.000 --> 21:02.000] Yeah, absolutely.
[21:02.000 --> 21:06.000] I'll hand over now to Evie. So, Evie's got a question for you as well.
[21:07.000 --> 21:22.000] Hi Martin. In the action strengthening cyber security in UK health care, we call for private sector partnerships and increasing public awareness to address the cyber security challenges that health care organizations faced.
[21:22.000 --> 21:30.000] What is NHS England doing to raise more awareness among the public? And I think this is what we were talking about earlier, that awareness piece.
[21:30.000 --> 21:35.000] What I will say is a lot of the stuff we do to raise awareness is behind closed doors.
[21:35.000 --> 21:45.000] And what I mean by that is it's direct to health care organizations because the public in general aren't our customer, it's sort of health care organizations in NHS England.
[21:45.000 --> 21:52.000] We have a lot of mechanisms and I think we're always trying to improve those because we're aware it is about getting the message out.
[21:52.000 --> 22:05.000] It's about winning hearts and minds and it's about being able to convey that message to such a diverse range of people because that's the only way we're going to get on top of this.
[22:05.000 --> 22:08.000] We've got something called the Cyber Associates Network.
[22:08.000 --> 22:20.000] So that's a sort of safe space where we have conferences and forums and we have monthly kind of cyber sessions where we talk about sort of trending incidents and things that we're learning.
[22:20.000 --> 22:23.000] We have webinars on there and things like that.
[22:23.000 --> 22:36.000] And I think the members find that sort of really interesting space and really invaluable and people can share ideas as well in that space and talk about things and raise things as well.
[22:36.000 --> 22:47.000] So it's bringing together a lot of people from across NHS England and also I believe suppliers can have access to this network as well.
[22:47.000 --> 23:02.000] We issue high severity alerts when we triage a critical vulnerability, which is a sort of high CV score and is sort of a widespread patching mandate across NHS England.
[23:02.000 --> 23:09.000] So that's where we kind of give information and guidance that goes out to all our NHS organizations.
[23:09.000 --> 23:16.000] We have time scales and give advice and guidance around sort of the patching of that, why it's important.
[23:16.000 --> 23:27.000] We have a threat intelligence sharing platform and this delivers lots of valuable products and information to the customer.
[23:28.000 --> 23:47.000] We're getting current information out through that platform that we want to share with people and it's information that they can use to secure and improve the security or just have an understanding of what the current threat landscape looks like so that it can drive their decision making.
[23:47.000 --> 23:56.000] I personally and my colleagues kind of deliver talks across the country to different NHS organizations talking about what we do to get that engagement.
[23:56.000 --> 24:06.000] We have our very own cyber sessions podcast hosted by our national cyber ops director Mike Fell, which again talks about cyber things.
[24:06.000 --> 24:23.000] We have what's called the regional cyber leads and they're kind of our go to when we want to speak to NHS organizations because they understand better than us what's happening on the ground and they have good relationships with NHS organizations.
[24:23.000 --> 24:33.000] So there's lots of pieces of work there to kind of trying to get the message out and I will say we can absolutely improve on that as well.
[24:34.000 --> 25:01.000] Could I come in there Martin as well because you obviously launched the supply chain charter and you know that charter was done for all health care companies which was basically NCSE was seeking to co-develop with industry a voluntary charter that outlines the proactive steps and manages the third party supply chain risk.
[25:01.000 --> 25:12.000] It enables current and future suppliers to pledge to be trusted partners to the health and care system, keeping patient data safe and maintaining the operation of essential services.
[25:12.000 --> 25:28.000] So the charter was developed with guidance from yourself, the National Cyber Security Center and incorporate elements of international best practice of the United States Cyber Agency, CISA, secured by the design pledge.
[25:28.000 --> 25:33.000] So I think it's really important that members do sign up to this charter.
[25:33.000 --> 25:52.000] It is voluntary, but the sort of things that it covers are things such as systems are kept in support, have the latest patches applied to address known vulnerabilities, achieve the least standards met as part of the data security protection toolkit, the SPT, which most of our members have,
[25:52.000 --> 26:12.000] implement multi-factor authentication MFA in line again with the NHS policy, ensure that immutable backups, critical business data, tested plans, incident response, disaster recovery, business continuity are all in place and tested.
[26:12.000 --> 26:23.000] And more importantly in anything, make sure that everyone at board level understands what their responsibilities are in the event of a cyber attack.
[26:23.000 --> 26:33.000] So I think there's just some things there that really do, but I would encourage everyone to look at this charter and sign up to it because I think it really helps.
[26:33.000 --> 26:55.000] And the idea is obviously then is to, as you say, to go more widely and publicize the fact of this charter and hopefully, you know, bring it to the public's attention that this does exist and the work that's being done by all companies is so important in this area.
[26:56.000 --> 27:05.000] And as I said, it's continuous. It doesn't just you do it and it stops each day. You're you're kind of keeping one step ahead of the criminals all the time, aren't you?
[27:08.000 --> 27:18.000] Thanks, Bob. I've got another question that's just kind of sprung to mind is obviously the Cyber Security Operations Centre is for NHS England.
[27:18.000 --> 27:24.000] Does your team also cover the devolved nations and is there the same support available in Wales, Scotland and Northern Ireland?
[27:25.000 --> 27:29.000] Yeah, so we don't cover the devolved nations. We cover England.
[27:30.000 --> 27:45.000] I believe that sort of NHS Scotland, NHS Wales have their own Cyber Security Operations Centres as well because we do send information and intelligence across and we do support NHS Scotland with some level of monitoring as well.
[27:45.000 --> 27:50.000] So, yes, there is that support for other the other nations. Yeah.
[27:51.000 --> 28:00.000] OK, brilliant. Thank you. So, Martin, what top tips would you offer to our member companies to ensure they improve their defences against cyber threats?
[28:01.000 --> 28:10.000] Yeah, OK, so I'll give you the just from the benefit of my experience and we'll probably cross over into a couple of other little areas as well.
[28:11.000 --> 28:18.000] So from my incident management experience, so valid accounts are often used in attacks.
[28:19.000 --> 28:28.000] What that means is that someone's kind of set up account and, you know, it's got a weak password or they've kind of set it up to do a job.
[28:29.000 --> 28:34.000] It's often as it's overly privileged, so it can do a lot of things that maybe you don't want it to do.
[28:34.000 --> 28:43.000] And it's been forgotten about and the attackers get hold of that account and then they start to use that account against you.
[28:44.000 --> 28:53.000] So, you know, having that understanding of what accounts you have, what what, you know, are you applying the principle of least privilege to these accounts?
[28:53.000 --> 28:57.000] And then, you know, do you do you actually even need these accounts?
[28:58.000 --> 29:01.000] So there's a bit of sort of join and move or leave us.
[29:02.000 --> 29:04.000] This is really important.
[29:05.000 --> 29:07.000] And what I will say is there isn't a silver bullet.
[29:08.000 --> 29:09.000] A lot of cyber security work.
[29:10.000 --> 29:15.000] My perspective is it's just it's just hard work, you know, that you've got to kind of get stuck in.
[29:16.000 --> 29:22.000] So MFA is another one, a multifactor authentication would prevent a lot of the attacks that we see.
[29:23.000 --> 29:30.000] And that is either not applied in some cases, but there is a policy now across the NHS that says you should have it.
[29:31.000 --> 29:34.000] Or in some cases, things just aren't configured correctly.
[29:35.000 --> 29:41.000] So you think you have MFA, but your configurations are wrong and you don't actually have the level of protection that you want.
[29:42.000 --> 29:47.000] So, you know, the housekeeping bit again comes in there and doing that that work.
[29:48.000 --> 29:49.000] Important work.
[29:50.000 --> 29:53.000] We passwords that I've kind of alluded to.
[29:55.000 --> 30:02.000] Another thing is this sort of if you've got access points that are are open to the Internet, those need to be patched up to date.
[30:03.000 --> 30:09.000] And, you know, because we see attacks coming by the way of these vulnerable access points.
[30:09.000 --> 30:12.000] So it's it's understanding.
[30:13.000 --> 30:14.000] You know, if there's.
[30:17.000 --> 30:27.000] If somebody is issued to say, look, there's a vulnerability with this software system, then, you know, get that patched as soon as soon as you can.
[30:28.000 --> 30:37.000] Because obviously, you know, we've seen the devastating effects of people leveraging those vulnerabilities against those access points.
[30:38.000 --> 30:40.000] Regulating the use of commercial VPNs.
[30:41.000 --> 30:44.000] I think seeing sort of VPN access can sometimes be a red flag.
[30:46.000 --> 30:48.000] You know, or people using VPN.
[30:48.000 --> 30:51.000] Sorry, should I say can sometimes be a red flag.
[30:51.000 --> 30:59.000] It helps you security professionals as well, you know, to understand if it's legitimate access or if it could be something else.
[31:00.000 --> 31:08.000] Because, as you know, VPNs kind of obfuscate our understanding of who is actually coming in into the environment.
[31:08.000 --> 31:11.000] So regulation of those sort of things is really helpful.
[31:12.000 --> 31:15.000] The deployment of software as well on your systems.
[31:16.000 --> 31:24.000] I know people often want to put software on systems outside of of what is usually permissible because they're trying to get a job done.
[31:24.000 --> 31:30.000] Or they need to do achieve something within the workplace that I don't have the ability to do this.
[31:30.000 --> 31:33.000] So remote access software is one.
[31:34.000 --> 31:37.000] But once that's on the system, there's a couple of things.
[31:37.000 --> 31:40.000] It makes it easier for the attacker to move data off your system.
[31:40.000 --> 31:45.000] So if the attacker gets on and that software is on there, you know, that makes it a lot easier for them.
[31:45.000 --> 31:52.000] But also, there's a particular type of access software that we see is like flavor of the month for attackers as well.
[31:52.000 --> 31:55.000] This can be another red flag for security professionals.
[31:55.000 --> 32:05.000] So, yeah, software management and in particular, remote access software, really having an understanding of what's being used in your environment.
[32:05.000 --> 32:07.000] Going beyond those sort of things.
[32:07.000 --> 32:09.000] And I think Bob alluded to it.
[32:09.000 --> 32:11.000] Incident management planning.
[32:11.000 --> 32:17.000] So just kind of the readiness and knowing what to do can be really helpful because.
[32:18.000 --> 32:20.000] Time is a critical factor.
[32:20.000 --> 32:22.000] It's not on your side.
[32:22.000 --> 32:36.000] You're working against a sophisticated adversary who has probably spent a lot of time planning, preparing, and they're in your environment and they probably kind of know what their objective is and they're working quickly towards achieving that objective.
[32:37.000 --> 32:43.000] So the more you plan and the more you prepare, the more effective you can be.
[32:43.000 --> 32:45.000] And as well, it's about people.
[32:45.000 --> 32:48.000] There's a lot of stress on people during these incidents.
[32:48.000 --> 32:51.000] And if you're planning, it removes a lot of that stress.
[32:51.000 --> 32:54.000] So people can be a lot more effective as well.
[32:56.000 --> 33:01.000] So one of the things we see an issue with is around log retention.
[33:01.000 --> 33:06.000] So this is more to do with the investigation following an incident from our perspective.
[33:06.000 --> 33:12.000] So often, you know, people will think, oh, well, we'll go to our logs on the firewall.
[33:12.000 --> 33:19.000] And what you find is, well, there's only 30 minutes of logs and that can hamper an investigation and hamper your understanding.
[33:19.000 --> 33:22.000] So it's kind of are those logs that you're gathering verbose enough?
[33:22.000 --> 33:28.000] Do they have the information that you require in the event of an incident?
[33:28.000 --> 33:31.000] So it's kind of knowing that kind of stuff.
[33:31.000 --> 33:33.000] And how long are you going to retain those for?
[33:33.000 --> 33:36.000] I appreciate there's a cost aspect and not everything.
[33:36.000 --> 33:38.000] You can't log absolutely everything.
[33:38.000 --> 33:42.000] But, you know, for those key assets, it's really, really important.
[33:42.000 --> 33:46.000] And that's often where we see kind of a weakness.
[33:46.000 --> 33:50.000] Again, just kind of alluded to before, but checking configurations and things.
[33:50.000 --> 33:56.000] You know, if things aren't set up properly, then that's where they can kind of fall down.
[33:56.000 --> 34:03.000] And you think you've got something in place and you haven't because the configuration is wrong.
[34:03.000 --> 34:11.000] Talking about suppliers and what we find is a lot of the time people who work with suppliers don't understand sort of the SLAs, the service level agreements.
[34:11.000 --> 34:20.000] And they're not not always familiar with working with their suppliers and what they can get out of them in this type of situation.
[34:20.000 --> 34:30.000] So it is good to bring in your suppliers, get them involved in these conversations, get them involved in your incident management planning and understand how to work with them effectively.
[34:30.000 --> 34:37.000] Should something crop up because a lot of the NHS relies on their supply chain, you know, heavily to provide essential services.
[34:37.000 --> 34:40.000] So it's key to kind of rehearse these things.
[34:40.000 --> 34:44.000] And the final one is it's sort of a plea from the Cyber Security Operations Center.
[34:44.000 --> 34:51.000] If you're working with us, keep your contacts up to date because we need to be able to reach out to the right people at the right times.
[34:51.000 --> 34:57.000] You know, and if we can't get hold of you, then it's going to delay the response.
[34:57.000 --> 35:03.000] So contacts, having a communications plan is really key.
[35:03.000 --> 35:11.000] So those are kind of some of the key, really key things I picked out from my experience of dealing with multiple incidents across the years.
[35:11.000 --> 35:15.000] Thanks, Martin. That will be very valuable tips, I think, for our members.
[35:15.000 --> 35:23.000] And it's certainly already I've been jotting some stuff down that I think Bob we should discuss in our next Cyber Security meeting to help members be more prepared.
[35:23.000 --> 35:25.000] So that's fantastic.
[35:25.000 --> 35:29.000] So we're going to change up the tone of the podcast now.
[35:29.000 --> 35:33.000] So we always end our podcast with one of our quirky questions.
[35:33.000 --> 35:41.000] So today's quirky question is if you could swap lives with a celebrity for a day, who would it be and what would you do?
[35:41.000 --> 35:44.000] And I'm actually going to pose this question to everybody.
[35:44.000 --> 35:49.000] So I'm going to start with Luke. I'm going to catch you completely off guard.
[35:49.000 --> 35:51.000] You have caught me completely off guard.
[35:51.000 --> 35:55.000] I suppose I can't really think of anybody.
[35:55.000 --> 35:58.000] You'd have to be someone quite rich if it was just going to be for one day.
[35:58.000 --> 36:03.000] I think I'd like to just spend some money and relax.
[36:03.000 --> 36:06.000] That would be nice.
[36:06.000 --> 36:09.000] And I'm sure there's quite a list of celebrities who meet that criteria.
[36:09.000 --> 36:12.000] And I think I'll leave it at that.
[36:12.000 --> 36:19.000] Maybe somebody like Alan Sugar or somebody like that then so that you can live the high life for the day, Luke.
[36:19.000 --> 36:23.000] Hopefully if they're in somewhere that's already quite warm as well.
[36:23.000 --> 36:25.000] Maybe Richard Branson.
[36:25.000 --> 36:27.000] He's got an island, doesn't he?
[36:27.000 --> 36:28.000] Somewhere nice and hot and sunny.
[36:28.000 --> 36:30.000] Maybe that's the place.
[36:30.000 --> 36:33.000] That doesn't sound too bad at all.
[36:33.000 --> 36:38.000] And Evie, who would you spend the day with if you could spend the day with a celebrity?
[36:38.000 --> 36:41.000] I think probably David Tennant.
[36:41.000 --> 36:47.000] Just because I'd like to know how it would be to be that talented and that generally cool.
[36:47.000 --> 36:49.000] That would be pretty awesome.
[36:49.000 --> 36:50.000] I totally agree.
[36:50.000 --> 36:54.000] And also you might get to go in the time machine if he goes back to Doctor Who.
[36:54.000 --> 36:57.000] So, you know, that could make it even more interesting.
[36:57.000 --> 37:01.000] And Bob, Bob, who would you spend the day with?
[37:01.000 --> 37:05.000] I get that pleasure every time I see you.
[37:05.000 --> 37:08.000] You know, with the celebrity of Axram.
[37:08.000 --> 37:11.000] Oh, yeah, yeah.
[37:11.000 --> 37:13.000] I didn't say Luke Donald.
[37:13.000 --> 37:17.000] As you know, I'm a keen golfer and winning the Ryder Cup and that.
[37:17.000 --> 37:27.000] I'd love to go and do it again because seeing after all the abuse that the Europeans took to actually go there and win and see them all walk away quiet was lovely.
[37:27.000 --> 37:28.000] So I'd love to see that again.
[37:28.000 --> 37:33.000] Yeah, I think it would be replacing Luke Donald on that day.
[37:33.000 --> 37:35.000] Fantastic. Thank you, Bob.
[37:35.000 --> 37:38.000] And over to you, Martin.
[37:38.000 --> 37:40.000] I put a little bit of force this one.
[37:40.000 --> 37:42.000] Drew Pritchard.
[37:42.000 --> 37:44.000] Does anybody watch Salvage Hunters?
[37:44.000 --> 37:49.000] No, so you need to explain more now because I don't.
[37:49.000 --> 37:55.000] So basically, Drew travels up and down the country buying antiques and collectibles.
[37:55.000 --> 37:56.000] It's fascinating.
[37:56.000 --> 37:57.000] It goes to businesses.
[37:57.000 --> 37:59.000] It goes to antiques dealers.
[37:59.000 --> 38:05.000] It goes to manufacturers and buys these lovely things that ultimately kind of sells on.
[38:05.000 --> 38:08.000] But there's also like a story behind these things.
[38:08.000 --> 38:11.000] And I think he has an eye for detail.
[38:11.000 --> 38:19.000] So, you know, he knows what's good, a little bit of the history about these things, how they're manufactured.
[38:19.000 --> 38:27.000] And, yeah, I just really kind of enjoy that sort of thing, that kind of eye for detail and these beautiful things that he buys.
[38:27.000 --> 38:28.000] Yeah, absolutely fascinating.
[38:28.000 --> 38:34.000] So I think it'd be fascinating to spend a day on the road with Drew Pritchard.
[38:34.000 --> 38:38.000] Yeah, doing collecting antiques and other bits here.
[38:38.000 --> 38:40.000] That sounds like it would be a very fascinating day.
[38:40.000 --> 38:44.000] Like you say, if there's a story, there's a story attached to everything.
[38:44.000 --> 38:47.000] So, you know, obviously that's so interesting as well.
[38:47.000 --> 38:51.000] Brilliant. Well, thank you very much for answering the quirky question.
[38:51.000 --> 39:02.000] I think we've all found out a lot more about Martin and the work of the Cyber Security Operations Centre at NHS England and further insights into cyber security.
[39:02.000 --> 39:14.000] I'd like to say a big thank you to Martin and Bob for joining us today and to my guest co-host Evie Eccles and Luke Wallin from our Future Leaders Council.
[39:14.000 --> 39:16.000] And thank you to all the listeners.