Q&A: Deryck Mitchelson, Director of National Digital & Information Security, NHS National Services Scotland.

"We've seen a 300% increase in cyber attacks since Covid happened".

Q&A: Deryck Mitchelson, Director of National Digital & Information Security, NHS National Services Scotland.

Deryck Mitchelson joined NHS National Services Scotland in 2018, reporting into the Chief Executive as a central part of the team managing Scotland’s critical national digital health services and infrastructure.

With a transformation portfolio of £120 million and a team of ~400 staff, Mitchelson -- an experienced head of IT and CIO currently working as Director of National Digital and Information Security, as responsibilities that span Scotland's digital COVID-19 portfolio, systems development, and shared services – product development, public cloud, information security, managed hosting, cybersecurity - across the public sector.

He joined The Stack to talk cloud migrations, a major cybersecurity programme (including a new centre in Dundee, launching in April) and the 300% increase in attacks NHS National Services Scotland has seen over the year, managing mainframes, third party vendors, and more.

Deryck, what's your role, in a nutshell?

In Scotland, we provide national shared services and national clinical services. So part of my role is managing the NHS in Scotland's critical infrastructure. That's the main national infrastructure that runs the NHS and of course, securing it and making sure that it's highly available.

What does that critical infrastructure look like?

It's huge. We've got cloud-based infrastructure. That's the more modern things we've built: a lot of our Covid response is sitting in the cloud rather than sitting in traditional data centres. We've got GP systems, we've got child health systems. We've got emergency systems. Some of these systems sit within legacy data centres, we've even got some mainframes that we we manage and run, which I'd never touched before joining the NHS just over two years ago. So you have a mixture of brand new and systems that are 25, 30-years-old and they're still running.

What projects did you take on when you joined, and what you're looking at over the course of 2021?

I joined just over two years ago. A few challenges were of interest to me and why I came across. We tend to do a lot of things at scale at NNS; we've lots of big programmes that were running, some of which was replacing a lot of legacy. So a lot of systems we were looking to replace with brand new systems delivered as part of public cloud rather than sitting in data centres.

An example of that would be our Child Health Index. Everyone in Scotland, when they're born, they get what's called a CHI identifier associated with them. That's a unique identifier that your health record sits against from the day you're born. We're looking to actually replace it with modern-based systems. We look at that as the crown jewels in Scotland, everything links off that. Components of that will be going live this year.

Another big programme that had come in just before I joined was we'd just signed a contract for Office 365. That was 161,000 licenses that we had to deploy across 22 health boards. A huge deployment.

And then the other big thing I was keen to get our teeth into was looking at national cybersecurity. We'll be going live with a national cybersecurity service from April. So there'll be a centre of excellence built out of Dundee. My hometown town. It will be  be at Abertay University so we can take advantage of the ethical hacking talent we've got there.

To what extent has the pandemic/shift to remote work changed your security landscape?

It's been totally disrupting in many ways and quite rightly the top priority to focus on. [But] we've been delivering the programmes we spoke about at the same time. So we completed our O365 migration from NHSmail.  But then we've been looking at how we get hold of testing data: a lot of the data was getting done through the UK government Lighthouse labs, some data was getting done through the NHS Scotland Labs. We've been able to implement a system whereby we manage all the data coming into Scotland. We've put it on a data warehouse so that we can start to understand what the hotspots are. We were starting to see clusters, outbreaks, etc.

Cyber's been a huge challenge since Covid's happened. We've seen a ~300% increase in cyber attacks since March 2020.

"We built our case management system as well for Scotland so that we could do contact tracing. We delivered very quickly in about six weeks and then established a 2,000-strong contact centre in order to do all Scotland's contact tracing. Since March, we've seen a huge increase on the cyber threat that goes alongside it. And of course, we've increased our threat landscape considerably with pushing new services out at pace into the cloud. So securing these systems and making sure that all the systems we're building are getting designed with the appropriate security and monitoring in place is a constant focus. Cyber has been a huge challenge since Covid's happened: we've seen about 300% increase in cyber attacks since March.

Sounds like it's been a heavy workload and had to be delivered at pace. How much has been built in-house by your team and how much outsourced?

I've got a team of about 400 that's under NSS. It's a considerable team. Some of the territorial boards that do frontline health care tend to be bigger teams delivering services, but other than providing blood services, we don't tend to do frontline services. The majority of the work we do, we do internally. We partner with organisations around areas of expertise.

So we partner with ServiceNow around building case management systems; with Check Point around security and how we can actually make sure that information is safe. We bring on contractors when we need to but it's predominantly delivered internally. The vaccine system we're building at the moment that will go live on Wednesday [January 20] has been built between a mixture of my own ServiceNow team and ServiceNow themselves who came on as a partner to help us deliver that very quickly.

I suggest it's probably insource first. But make sure you've got the right level of external expertise built on top of that.

In terms of the threat envorinment, what's your approach in terms of team, tooling, et al. What kind of team do you have in place? Do you outsource Red Teaming, SOC work?

When I joined we had a fairly small cybersecurity team, it was about three staff actually doing  incident response and threat intelligence and detection type-work. We had some other staff doing data protection and other aspects of information security. We're now coming up for a dozen people working in the cyber areas of expertise.  A lot of that is because, as I said, we're going live in April with this cyber centre.

We've been looking at tooling at the moment. We've got some tooling that we use to protect things like email, to understand what's happening with phishing to get threat intelligence. We've got good next generation firewalls and cloud based protection such as Check Point Maestro for example; we're in the process of looking at opportunities for what tooling we might need to put in that becomes our SIEM: our main intelligence system, that we could actually start to push all of our data and all of our logs all of our intelligence onto so that we can automate that as much as we can.

Conversations with Scottish government have been around how we might be able to expand [cybersecurity] capability to provide services that are much bigger than health care.

"The Red Teaming we've done so far, we have joined up with third parties to get involved in these sort of things so we can get up to speed. And I think that's the sort of model we'll go forward with as we start to mature the cyber centre itself; as I said, about 12 people or so from April. We see that building up to certainly double that within the end of the next financial year. Conversations with Scottish government have been around how we might be able to expand the capability to provide services that are much bigger than health care. So that might be we might be looking to see if local authorities would be interested in using that same [cybersecurity] service and then potentially as well, some of the other public sector agencies.

We don't see ourself working in the justice sector. We think that will be maintained by by courts, by police, etc. But I think the rest of the rest of the public sector, there could well be synergies with joining up. The more we join up, the more bang we get for the buck; the more efficient will be able to deliver this type of a service. One of the big Scottish government agencies was compromised over the Christmas period. And I think that just brings it home as to how things like ransomwear can creep up and before, you know, suddenly become a big impact on operating in your business.

Ransomware is just rife isn't it? How can you prepare for the threat?

You can be as prepared as you can -- but all you can [really] do is to be prepared to the point that you're going to have to respond to an incident. That's the type of organisation that we want to be for the NHS. We want to want to be able to respond quickly with an incident playbook so we can recover as quickly as we can from any incident and minimise any impact. A lot of people saw press reports in October that there was a cyber death in a hospital in Dusseldorf [as a result of a ransomware attack].

That brings it home; it makes it real. I did a presentation on last Tuesday to Scotland's chief execs. That's what I was saying to them, that if you're sitting here around the table thinking that 'I've invested in cybersecurity and I'm safe', you need to have a look at that statement. I don't think you'll ever be safe. What you want is to be as prepared as you can be.

Do you think your stakeholders recognise the challenge?

You know what, I absolutely do.  I've never come across an organisation where when you've actually made the proper business case linked to operational risk -- obviously in the NHS, operational risk is to do with the impact upon life; my previous employer was to do with the profitability, bottom line, shareholder value, you know, bonuses, etc. -- if you are able to articulate that risk properly, organisations are able to understand that this is what they need to invest in cybersecurity in order to improve it.

You won't get all the money you need on day one, but you can set out a three to five-year improvement program and start to demonstrate tangible returns upon that investment. When I came into this role here I very much was challenged as to whether I felt that I was able to actually set a programme up and get buy-in from chief execs across Scotlands territorial boards and from the Scottish government. And I've got to say, so far, there's not an awful lot of pushback. There's the usual questions: 'We've invested quite considerably.: Have we got to throw X away?' And it's absolutely not. We look at what people invested in: if it's good equipment or good controls or good resources, then you don't start to unpick all these. It's a case of layering defense in depth on top of that. Budgets are tight, but I've never seen anyone yet turn around and actually say that they cannot give priority money to cybersecurity, if you get the messaging right.

The security vendor marketplace is huge and growing ever-bigger. How do you go about selecting suppliers? Is it a case of starting with Magic Quadrants? Framework assessments? How involved do you get?

I do get involved in looking at the tooling, I quite like that and I like the conversations; to get an understanding as to what the vendor is. We do have partnerships with Gartner, so we can speak to them about what's happening in the marketplace. Magic Quadrants are always a good start.

I'm always interested in what's happening in the Scottish marketplace as well. You can get a great product, but if it's not backed up by really good local Scottish-based teams, that gives me concern as to not just how reactive they're going to be, but how proactive they're going to be in understanding our organisation and how our investment with them is actually going to be maximised.

We speak to new vendors on a monthly basis trying to bring them in to understand what they're doing, sharing our cybersecurity programme with them so they can get an understanding as to whether the products are a good fit. I like to have demos that  we stick onto secured spaces within our network so we can see how they perform, etc.

Of course, when we get to the point of being able to choose a preferred system we'll always end up going out to a framework as well to actually properly go out to tender, to do a proper evaluation to make sure that people understand success criteria and value for public sector money. I've got some really good technical staff and they get into that technical discussion. I like the relationship: to understand, is this somebody that understands our vision and will work with us to deliver it.

To what extent do you find most software vendors have a good Scottish footprint?

Most of the big companies in the security space have invested in local Scottish teams. I think that's really important. OK, we're doing everything digitally, but I just think that organisations that have got local teams understand the local businesses much better.

It's different operating in Scotland than it is operating in London. My previous role was global. I had teams operating in Singapore, Houston, Beijing, etc. and we had particular local teams because working in these countries and working in oil and gas with local regulations and the local relationships meant we needed to have local teams.

"I think software is exactly the same. You can deliver that development capability or the innovation capability centrally. But when it comes down to getting support, it needs to be done locally. Some of the vendors don't have local teams, but they partner with local organisations that are resellers or provide value added.

Can I take you back to some of your legacy tech. What's the plan with the mainframes, for example?

The mainframes in the NHS tend to get a bad press. People look at them and say, 'it's old technology, it's legacy technology': but it's technology that works; it's technology that doesn't go down. What we've got with the old legacy [thoug] is an inability to actually innovate and modernise and change the way it functions for the modern world.

All the legacy stuff we have got, we've got a roadmap and a strategy to replace and move on to next generation software or systems based in the public cloud. We'll look to retire all the mainframe stuff as soon as we can; not quite sure when exactly that is, but I would like to think it will be within the next five years we'll be looking to have most of the legacy moved across.

For the public cloud we'll typically look to build on top of best of breed systems. So for child health systems, we've actually bought enterprise grade systems that we're then configuring for our use. We're doing the same things with building vaccination systems, scheduling system, case management; it is SaaS and PaaS that we're looking to use. But the legacy stuff: you can't beat it for availability. It tends to be secure as well and gets well managed and it doesn't cost me an awful lot of bother, to be honest.

What's the broader cloud strategy at NHS National Services Scotland? Are you broadly multicloud?

I do an awful lot of work with Microsoft Azure. We took the opportunity to build a national public cloud [strategy] around work we were doing on the Office 365 rollout -- because we were putting in place an identity service across all the health boards in Scotland for 161,000 staff it made sense for us to actually build high available and secure cloud hosting to run that -- given it was tied back to the Azure ADyservice that all these accounts were synchronised to, for me, it made strategic sense to actually have Azure as the main cloud that I use. And most of the systems at NSS we were migrating are going into that Azure space. But we are multicloud: a lot of the GP IT vendors that we're working with around modernising the general practice systems are running in AWS. So we've got services running in AWS and interconnections between our wide area networks.

What we've not gone to the point of doing, is having resilience from one cloud to the next.

What we've not gone to the point of doing is actually having resilience from one cloud to the next. We've got resilience within Azure; so my Azure services fall over from Azure South to West, so that's London to Cardiff and likewise for AWS we've got resilience built in.

But we might have a look at cross-cloud [resilience] too. There's going to be an overhead in running that, there's no doubt about it; we need to manage the direct connects and express routes. We're going to have teams that manage things like the continuous integration deployment platforms that need to be managed so we can push services into each.

There's definitely an overhead in running the cloud but where we are in the NHS, I think we're always going to be multicloud. You don't particularly want to restrict yourself to one cloud unless there's a good business reason: For example, if there's a Google API or an AWS API, which we think adds value to health, we would always look to consider use it.

Is your data lake in the cloud too?

I inherited a substantial NHS data lakethat when I joined. We've invested a lot time and effort to make that much more efficient than it was. Some of that is running within data centres and some of that is running within the cloud. Our data science platform -- which we call Seer -- we've built our data science platform so you can put any tool on top of it. You can run Tableau, PowerBI, you can run R Shiny sitting on top of it. It will actually run structured or unstructured data as well. We're in the process of having a look into what aspects of that we move fully into the cloud and we're having a look at what aspects of that we move fully into the cloud and probably start to decommission some of the data center infrastructure.

But it's been a huge asset, the minute Covid hit the first thing we did was to push all that data into that data warehouse: having that capability there, meant that we were ahead of all the other whole nations, as far as we know, to understand what the data was telling us; what we're seeing on a on a location to location or region to region basis. I think it's shown that it can make intelligent, data driven decisions as critical in Scotland.

See also: Mainframe to Linux: still a howling headache?