Cybersecurity will always be needed for the NHS, but what is the current threat level and what can be done to mitigate these threats?
Cybersecurity is always a hot topic in the NHS, with huge amounts of personal data possibly at risk. The WannaCry cyberattack in May 2017 was an example of the risk faced by the NHS.
A report from the Department of Health and Social Care revealed that the attack led to the cancellation of 19,000 appointments, with an estimated 1 per cent of care disrupted. While this might not seem like a lot, it is estimated this cost the NHS around £19 million in lost output. The estimated cost of IT support during and after the attack amounts to £73 million pounds. With record backlogs, the NHS cannot afford to cancel appointments on a large scale. Nor can it afford millions of pounds of unexpected IT costs.
80 hospital trusts and 8 per cent of GP practices were disrupted after ransomware locked users out of digital systems and medical devices. The attack was brought to an end by a cyber researcher activating a kill switch.
A National Audit Office investigation into the attack looked into the impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department and NHS national bodies responded to the attack.
The report found that the Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and though work was underway, it did not formally respond with a written report until July 2017.
Risk and prevention
So what is the current cyber risk to the NHS now and what can be done about it?
NHS Digital says: “Cyber threats are constantly evolving and always present, so digital health and care organisations must remain prepared and ready to respond. We provide a range of specialist services that help NHS organisations manage cyber risk and to recover in the event of an incident.”
NHS Digital regularly publishes cyber alerts, with recent alerts including “OpenSSL Vulnerabilities Impact Multiple Cisco Products” and “AliveCor KardiaMobile Vulnerabilities”, as well as several security update announcements.
Threat intelligence bulletins are issued to users registered on the respond to an NHS cyber alert service when a threat is assessed as high-severity or weekly via email.
Cyberattacks are of course still a real threat, especially with even more reliance on digital systems and technology. Cyberattacks can cause low to serious disruption to patient care and services and also present a serious risk to patient data.
Several things are needed to improve cyber resilience, including tools, organisations and people and none can be used in isolation.
NHS SBS’s Cyber Security Services Framework provides a range of external support services to help NHS organisations manage cyber risks and recover in the event of a cyber security. The Framework runs from 12 May 2020 - 11 May 2024 and can be used by the NHS, local authorities, emergency services, educational sector and all public sector organisations located across the UK.
The Framework has three lots: 1, Emergency Cyber Incident Management; 2, Cyber Security Consultancy Services and Lot 3 Security Personnel.
The Framework offers several benefits, including that it is supported and approved by NHS Digital who provide detailed input into specification and evaluation. Lot 1 Emergency Cyber Incident Management offers specialised suppliers with the option to offer time-critical response 24 hours a day. It also offers the opportunity to appoint providers on a regional or national basis.
There are 25 suppliers on the framework, including SME specialists and multi-national providers. The framework offers the ability to direct award, providing a quick route to market to meet requirements. It also offers mini-competition, which can help drive competitive pricing. The fixed public sector framework pricing offers competitive rates.
On top of this, all appointed suppliers have mandatory certifications, including Cyber Essentials Plus or equivalent.
Lot 1 Emergency Cyber Incident Management includes the provision of urgent incident response capability for large-scale or local incidents.
Lot 2 Cyber Consultancy Services provides the specialist support needed to enhance an organisation’s cyber credentials. This could include Data Security On-Site Assessments, Security Testing, Technical Assurance, Forensics and Investigations, Policy Development, Awareness and Training. This could be useful for an organisation with a requirement to access ad-hoc or ongoing advisory support.
Lot 3 Security Personnel enables the supply of specialist personnel to support existing in-house capability. The aim of this lot is to support organisations to reduce their exposure to threats, improve security defences and provide resource support to respond to cyber incidents.
Aside from services, tools and personnel that you can source, they are ways you can improve cyber security at an organisation level. For Cyber Security Month, Mike Fell, NHS Digital’s executive director of national cyber security operations laid out his top security tips for health and social care workers. He said: “From email and social media to online banking and shopping, it has never been so crucial to take vital cyber security steps to prevent criminals getting hold of data, devices and accounts.
“Here in the NHS, getting cyber security wrong has the potential to cause significant impacts across the health and care system.
“If a GP can’t access their system, they may not be able to share life-saving prescriptions with pharmacies or critical information with hospitals. Similarly, cyber attacks can cause cancelled appointments and surgeries, possibly resulting in care diversion to other hospitals.
“Cyber security is as important as health and safety, and in just the same way it’s the responsibility of every person in the NHS to understand security risks and what they can do to reduce them. Fortunately there are a few simple steps we can all take to ensure we stay cyber resilient at home and work.”
Regularly sharing information and tips with your colleagues is a great way to improve your cyber security.
Fell’s top tips include using a strong password as a more complex password is more difficult to crack and make sure you always lock your computer or mobile device when you are away from them. He also warned people to be aware of phishing scams which can attempt to steal information and are getting more sophisticated.
Fell also pointed out that it is important to keep up to date with data training, as well as to make use of the resources that are available to promote and improve cyber security.