Data security isn’t just a technology issue

NHS Digital highlight the importance of protecting information and data in the NHS and why NHS staff must be trained in knowing system vulnerabilities

Whilst NHS organisations can, and should, have solid cyber security measures in place, no system is completely impenetrable, as seen by the recent high profile attacks on major global companies. The cyber security attack on 12 May 2017 affected a wide range of countries and sectors across the globe, and the fact that it affected more than 40 NHS trusts was a stark reminder of the vulnerability of inadequately updated IT systems.

It also reinforced the importance of being vigilant and not opening emails that look suspicious or are from unexpected sources with links or attachments.

A small number of organisations in the NHS were infected by the ransomware, but news of the cyber attack had a wider impact as other services closed down their systems as a precaution. Most of these organisations, whether they were trusts or GP practices, followed NHS Digital’s guidance and put the ‘patches’ in place to protect systems.

Although there is always more to learn, doctors, nurses and backroom professionals pulled together and worked incredibly hard to keep services running and to get everything back to normal as swiftly as possible.

Safer, more efficient care
Modern healthcare relies on good IT, which has been developed in partnership with end users and clinical informaticians, so that it provides the intended benefits of delivering better and safer care more efficiently.

Manpreet Pujara is the clinical director for Patient Safety at NHS Digital. Together with the clinical safety group, he is responsible for ensuring that the health IT systems that are developed and deployed for use in England meet the recognised SCCI safety standards. He is also a member of the RCGP Health Informatics Group (HIG), which advises the college and other professional bodies on issues relating to the development and use of information management and technology in general practice.

The Wanna Decryptor malware that was the culprit of the May attack spread across the world infecting computers in 74 countries in Europe and Asia. For the NHS, some patient records, appointment systems and medical equipment were rendered inaccessible. As a safety measure many GP surgeries were advised to switch off their systems and disconnect them from the network.

Manpreet said: “There are several lessons we can learn from this. Chief among them is the role of practices and individual users in keeping the system safe. Every single device needs to be patched with the latest software. IT provided by CCGs and Commissioning Support Units should be maintained by them, but if GPs have bought other systems, for example telephone systems that run on PCs, then that’s their responsibility. You can’t just install something and forget about it - particularly if it’s connected to your network.

“And while filters remove the majority of malicious emails, occasionally one gets through, so we all need to be sensible. Though Wannacry was not the result of a spam email, it’s important that we ask ourselves ‘Was I expecting this email? Does it make sense? Does the sender normally send an email like this?’

“If the answer to any of these questions is ‘no’, then don’t open it, and don’t click on any links within suspicious emails. Don’t get tempted to look. ‘If in doubt - block it out’ and forward as an attachment to spamreports@nhs.net.”

Cyber security
Keeping patients safe isn’t just about preventing cyber attacks however. It’s also about employing best practice in how IT is used.

Manpreet explains: “We heard of one organisation that was using NHSmail to cancel CT scans. Whilst NHSmail was never designed for this purpose or for referring patients, an organisation may think it is a reasonable use of the system, but only if they have considered adequate business continuity processes and assessed the clinical risk should NHSmail not be available as happened in November 2016.

“In one instance a CT scan booked for 3pm was cancelled by email at 2.55pm without assessing and considering the risk that the email may not be read and acted upon in time. In this case the scan went ahead, and a patient was needlessly exposed to radiation. This is why patient safety must always be considered and the SCCI standards met by those that develop and deploy health IT.”

Manpreet has some ideas on how to ‘professionalise’ IT use - encouraging every member of staff with access to IT to undergo regular information governance (IG) and security of IT systems training. Consideration should also be given to enabling ‘fixed’ desktops across the practice so that unauthorised software cannot be installed without the system administrator’s approval.

He says: “These sorts of measures are necessary, not least because of ‘Personalised Health and Care 2020’, a set of programmes commissioned by the Department of Health, NHSE and the National Informatics Board to ensure that by 2020 the NHS minimises its use of paper and is ready for a digital world. IT is changing the way we work, and clinical informatics is central to keeping our patients safe. If we don’t keep our systems up to date, and if we don’t use them properly, we can’t look after our patients.”

Since the attack happened, NHS Digital’s cyber teams have continued to listen, learn and offer support. They are working closely with provider organisations to ensure that they listen to their experiences and use this feedback to strengthen their services.

Manpreet explains: “We need to invest in people, across all disciplines, because data security isn’t just a technology issue or just something the ICT team have responsibility for. Leadership is key in ensuring data security is embedded across an organisation, we all have a part to play but those in senior roles can have a significant influence to make sure that things are put in place sooner rather than later.

“However, cyber security is the responsibility of everyone in the NHS. You wouldn’t leave your front door unlocked, but not having a secure password on your computer is the cyber equivalent to doing just that. It’s important that all staff within the NHS take some basic and sensible steps to keep digital information safe.”