By Dr Saif Abed, Chief Medical Officer and Healthcare Cyber-warfare Expert at BridgeHead Software

GDPR. It is probably one of the most talked about pieces of regulation in the past decade, such was its impact on people’s inboxes when it came into effect in May 2018. However, all the attention and media coverage of GDPR actually meant that an equally important, and arguably more relevant piece of regulation for healthcare, seemed to slip almost completely under the radar. You’d be forgiven for not being aware of the Network and Information Systems (NIS) Directive. Despite, it being allocated the same level of fine as GDPR, and fully adopted in the UK as regulation, it has garnered nowhere near the level of attention it deserves.

What is the NIS Directive and why does it matter?

The first thing to say is that the NIS Directive is really all about service resiliency and security for national critical infrastructure, which immediately means the NHS is in its scope. There is an expectation that healthcare providers (referred to as Operators of Essential Services) need to be able to demonstrate that investments are being made that minimise the impact of service downtime due to a cyber-attack (e.g. ransomware). These expectations also apply to healthcare IT system suppliers who are referred to as Digital Service Providers (DSPs). And there is particularly scrutiny of cloud-based solutions.

What should NHS Trusts consider in building a more resilient ecosystem?

With the NIS Directive in mind, what should NHS Trusts consider as part of their first steps towards building a more resilient ecosystem? A resilient system, needs to keep its weak-points and vulnerabilities to a minimum. That is, of course, easier said than done, but a common challenge we are addressing at BridgeHead is the ever-present issue of legacy applications.

Legacy applications are often unpatched and unsupported systems that can number into the hundreds having been accumulated over many years. Each of these applications is a way into the network for an attacker to cause untold disruption and chaos. Over and over again, we are now seeing the short and long term consequences of networks and systems being disrupted. In the short term, ambulances are diverted and appointments cancelled, invariably causing risk to patient safety. In the longer term, it can sometimes take months for hospitals to fully recover from attacks and resume normal operations.

By identifying high risk legacy applications, we work with Trusts to decouple clinical data from them and store it instead in our Independent Clinical Archive (ICA), HealthStore®. These applications can be then be retired while the original data becomes more secure and easier to navigate to for clinicians whether as a part of routine work or recovering from a cyber-attack. Over time, the legacy application footprint can be whittled down creating a more resilient digital hospital ecosystem – exactly as sought by the NIS Directive.


Dr Abed is a medical doctor and healthcare cybersecurity/national security expert. He is a recognised healthcare IT subject matter expert with a primary field of specialisation in cyber-warfare and crime targeting public sector healthcare systems. He holds expert roles at the European Commission, World Health Organisation and UK Government’s Infrastructure and Project Authority.


For more information, read BridgeHead’s latest cybersecurity whitepaper entitled “Legacy Applications: A Healthcare Cybersecurity Nightmare”.