Managing cyber risk at NHS trust board level
On 3 November, techUK and member Reliance acsn hosted a roundtable to discuss cyber security and its implications for NHS trusts. The aim was to:
- Understand NHS trusts' perspective of the challenges they face
- Formulate basic advice to NHS trust boards on how to manage cyber risk.
Those present at the roundtable were representative from NHS trusts and NHS Digital, and subject matter experts from the cyber security sector.
Participants considered the following questions in open discussion:
- How do NHS trusts view cyber security and how do they relate it to business risk?
- What advice would best serve NHS trusts to manage and have control over cyber risk?
Here are some of the emerging themes:
- Keeping on top of emerging technology is a constant challenge as is the demand for integration and interconnectivity of disparate systems, often with unsupported software, which can present a paradox in terms of security.
- Trusts differ widely, in terms of size, funding, responsibility etc. A one-size-fits-all approach is therefore unlikely to work. The centre has an important role to play in providing advice as well as centralised capability, but the dynamic of this role is not fully refined. What should be provided by the centre and what locally is still not defined clearly.
- Managing legacy systems remains a particular challenge. NHS trusts have a mix of OT and IT which makes cyber defence particularly complex. Underinvestment in technology has exacerbated the problem of legacy equipment and systems. The NHS should commit to investing in core infrastructure and skills to ensure it is in the best position to manage risks around that infrastructure.
- A senior leadership community on cyber is absent. Such a network between trusts and other NHS bodies would facilitate the sharing of best practice and lessons learned. A community/platform through which SIROs can come together/communicate would also help. There is also too much confusion around different roles – SIROs, Caldicott Guardians, CISOs, other IT leads – and how they relate to and complement each other.
- ‘Translators’ – tech experts able to communicate effectively to generalists - would help boards understand cyber. Cyber comes across as a specialist subject. Language is often technical, couched ‘in fear’, and does not easily correlate to the business, which makes it difficult to judge risk appetite. It needs to be more accessible. Boards need to take time to engage intellectually with cyber as they have with other complex business disciplines such as finance. Boards should not be afraid to appoint directors with technical understanding.
- The increase in remote working as a result of COVID-19 has changed the threat landscape. BYOD (Bring Your Own Device) has increased, introducing new vulnerabilities. The cyber threat has evolved since WannaCry and will continue to do so. Trusts need to get the basics of digital hygiene and resilience (legacy management, authentication, access controls etc.) right.
- The NCSC provides excellent guidance both generic and specific to NHS trusts. This includes generic advice to boards on how to manage cyber risk. There is a need however to provide guidance for NHS trust boards that answers the specific challenges they face.
WannaCry: Reflections on where we are now
The roundtable included a presentation on WannaCry, lessons learnt and their relevance to the current threat landscape. The following points were made:
- WannaCry was not a new phenomenon. The NHS had experienced previous attacks. The difference with Wannacry was its velocity and scope.
- A lack of basic IT hygiene – failure to patch, poor infrastructure design, basic IT disciplines that were not followed – exacerbated its impact: a lesson to boards to resource the IT function to run optimally.
- Leadership is key to managing a crisis. It is the responsibility of each statutory organisation to ensure they are able to cope with the challenges they have as an organisation.
- It is recommended that Boards nominate a qualified leader to oversee cyber risk and treat it no differently from any other business risk.
- Boards should leverage the digital knowledge of non-executive directors and encourage those who are literate in cyber onto trust boards. They can play an important role in educating boards and brining lessons and experience from other sectors.
- The NHS nationally has done great work around the cyber security operations centre, centralised delivery of O365/Windows 10 and putting in place technologies to enable national monitoring. The introduction of CyberEssentials should continue to raise standards.
- WannaCry challenged trusts's willingness to communicate and collaborate on cyber. Some participants were not convinced that trusts were cooperating within their Integrated Care Systems. “We can’t mitigate every risk. We need to be prepared for our response when an attack hits.”
- Cyber is not an issue about technology. It is about governance, process and above all people. The biggest risk factor was not technology, but “the individual who allowed the ransomware in”.
- There is a concern that the lessons from WannaCry are being forgotten despite the threat being still there.
- Investment needs to be a part of standard budgeting by trusts and not national funding.