The Department of Health and Social Care has recently released its third progress report on improving cyber resilience in the wake of the 2017 WannaCry ransomware attack.
The report focuses on the following key themes where the Department has made improvements to cyber resilience within the NHS:
1. Strengthening national leadership for cyber security
Through the NHS Long Term Plan and NHSX, the NHS is ensuring that the advanced technologies used in the NHS are secure through delivery of the cyber security transformation programme. Crucial to this progress is the Cyber Security Strategy for Health and Social Care due for publication in 2020 which will provide an overarching framework for cyber security in the NHS and social care
2. Addressing cyber security risks and vulnerabilities at local level by taking action at the centre
NHS Trusts are now utilising Microsoft’s Advanced Threat Protection (ATP) to detect and protect against potential threats while the creation of the Cyber Security Operations Centre (CSOC) has provided a national view of the cyber threat across local health organisations. Over one million devices are now registered as using ATP and there is increased capacity to prevent the success of malware and phishing schemes alongside increased capabilities in protective monitoring, threat intelligence and threat hunting.
NHS Digital is working to maintain secure and up to date systems. Unsupported and unpatched systems were key risk factors in the WannaCry attack. Consequently, the NHS has ensured extended support for Trusts is in place till 2021, with all NHS organisations having agreed to migrate to Windows 10 no later than December 2020.
3. Understanding cyber security maturity in the NHS
As part of the NHS’s efforts to increase its cyber maturity, it has created the Data Security and Protection Toolkit (DSPT). Consequently, large organisations which do not meet the ‘National Data Guardian’s 10 Data Security Standards’ must now submit an improvement plan to NHS Digital. Most organisations which had not met the standards now have a plan to achieve it.
4. Supporting local organisations to strengthen their leadership for cyber security and to address capacity and capability issues
The Cyber Security Support Model (CSSM) provides a clear picture of the strengths and weaknesses with cyber at Trust level through on-site assessments and training for Board and Senior Information Risk Owners. Key individuals within an organisation now understand the importance and nature of cyber security and risk.
A national cyber communications and awareness campaign, the ‘Keep I.T. Confidential’ campaign has also been created which aims to drive cultural change by educating all NHS staff on the direct impact of data and cyber security on patient care.
5. Applying cyber security standards across health and care system
NHS Digital has worked with the National Cyber Security Centre (NCSC) to include the requirements of Cyber Essentials into the DSPT. Consequently, from 2020/21 NHS Trusts will be expected to meet the additional requirements in the DSPT which provide equivalence to the Cyber Essentials Plus (CE+). NHSX has also commissioned discovery reports into the technology enabled care sector and Adult Social Care sector which provided in-depth pictures of the cyber security risks and challenges these sectors face. NHS also has new regulatory levers to ensure Operators of Essential Services are taking adequate steps to protect their systems and report any cyber incident or network failure.
6. Continued investment in cyber security
Over £250m will be invested nationally to improve cyber security of the health and care system in 2021. This excludes monies local organisations have themselves invested into their own cyber security. The programme also receives funding through the Cabinet Office’s National Cyber Security Programme and tests innovative approaches to building cyber resilience in health and care settings.
The Securing Cyber Resilience in Health and Social Care Report also highlighted the progress made on the recommendations made by the CIO in the wake of the WannaCry attack.
Progress Update on CIO Recommendations
- All NHS organisations are to develop local action plans to achieve compliance with the CE+ standards by June 2021. This will be complete by 2021. All NHS trusts, bar one, have an independent on-site CE+ assessment and submitted action plans to improve their resilience. The recommendation will continue to be delivered through the new Cyber Security Strategy for Health and Social Care
- The Cyber Design Authority has reviewed proposals for IT infrastructure standards. Agreement on relevant standards will now progress as part of strategy owned by NHSX.
- All health and social care organisations have detailed their position against the DSPT
- The Adult Social Care Data and Cyber Security Programme Report has been published. The report is now improving resilience in adult social care and future work will be taken forward through the new cyber strategy.
- All NHS organisation now have an Executive Director as a data security lead and cyber security risks are regularly reviewed by the board. NHS Digital also provides organisations with access to the Unified Cyber Risk Framework to help achieve compliance with this recommendation.
- A working group has been established to consider standards for the management and patching of diagnostic equipment.
- It was recommended that NHS Digital appoint a system wide Chief Information and Security Officer (CISO). And a dedicated regional Cyber Security Lead for each NHS England region. This recommendation is partially implemented with an interim CISO in place and three of five Cyber Leads in place.
- Boards for NHS organisations are undertaking annual cyber awareness training and the GCHQ certified board training programme is being rolled out by NHS Digital. Additionally, NHS staff now receive regular and targeted cyber and information security awareness and Health Education England have ensured cyber security awareness training is included in their Building a Digital Ready Workforce.
The NHS has responded well to the WannaCry ransomware attack which affected 80 out of 236 hospital trusts across England. The incident highlighted the need for improvement in cyber security provisions both within individual NHS organisations and across the system. The ‘Lessoned Learned review’, the first review in the wake of the attack, suggested that fundamental changes needed to be made in the cyber security literacy among senior directors.
Clearly, the NHS has made significant improvements since then and it is encouraging that it plans to increase its capacity throughout the next year. The rollout of ATP and the creation of CSOC, alongside the efforts being made to support local organisations to strengthen leadership for cyber are particularly welcome, as is the introduction of the Cyber Essentials Skills Programme to the NHS.
However, there is more to do. The Cyber Security Strategy for Health and Care, due for release in 2020 will hopefully provide a more overarching framework for cyber security in the NHS. Moreover, the system needs to provide better guidance and information to the leadership of organisations in the NHS.