Cyber security in the NHS

Following the recent news of Northern Lincolnshire and Goole NHS Foundation Trust having to shut down their computer systems due to a cyber attack, Dan Taylor, head of security at NHS Digital, looks at the relationship between cyber security and patient care

Cyber security is a hot topic in the NHS right now, but it seems to invoke one of two reactions in a lot of people – either concern about whether the IT team has everything under control, or a disinterest because the IT will have everything under control. Neither is helping us to ensure that our information is safe and secure, and both could be inadvertently affecting patient care.

‘Patient care?’ I hear you ask, ‘but cyber security is about computers and nerdy computer hackers… it isn’t patient care, it’s technical folk buying expensive software.’

Cyber security can and is affecting patient care, and it isn’t just the responsibility of a few experts who know about computer programming, it is the responsibility of every single person working for our NHS.

People and cyber threats
I head up security at NHS Digital, and one of my jobs is to work with a team of specialists to deliver CareCERT services to health and care – a set of tools and services to help health and care organisations to make the best decisions about cyber security and to support the system to protect their information.

We know that the threat of cyber attacks on the NHS is rising, as it is with every other sector. We also know that often the NHS isn’t a particular target for these attacks, which are simply looking for vulnerabilities in any system across any sector. So my job is both to set up appropriate protections and services nationally, and also to help NHS organisations to make the best choices about their own cyber preparedness.

Whilst central expertise can and does support the NHS to keep its information safe, by far the most common shared factor in successful cyber attacks is people. And as the NHS has 1.3 million staff then that is both a big risk and a massive opportunity. Great cyber security does of course involve good technological solutions, but we also need each member of staff to take sensible action to keep information safe. When you combine strong processes, great technology and engaged and committed staff, we call that defence in depth.

So this means supporting staff with the right training and knowledge so that they understand their responsibilities and also working to change the culture in each organisation so that good cyber hygiene becomes as important as good hand hygiene.

Some of these steps are simple – having good, strong passwords and keeping them safe; not clicking on unverified links; not using your work computers for personal use and not using common passwords shared across work and personal networks.

Protection through CareCERT
So, how does CareCERT support the NHS to protect itself? Firstly we work on a national level, monitoring national systems and networks and ensuring that the right security is in place and that vulnerabilities are recognised and remediated. But apart from people, another threat to the health system is our design as a devolved system, meaning that there are thousands of different networks running locally, which NHS organisations have individual responsibility to protect. The rest of our services are designed to support local organisations to make the best decisions about their own cyber security, taking into account that nobody has a blank cheque or an unlimited pot of money, so we have to make sure that where NHS organisations do invest money they do so wisely, getting the best possible return on their investment.

CareCERT began in 2015, but has recently expanded its services to offer a wider range of support. The idea of CareCERT is that it provides the health and care with sensible national support and solutions where it is possible to do so, without taking over the responsibility that each individual organisation has for protecting its own information. The main things that we offer or will soon be offering are:

CareCERT Broadcast - CareCERT Broadcast launched in October 2015 and analyses threat intelligence from a variety of sources, before producing and broadcasting relevant, focused advisories to health and care organisations.

The idea of these broadcasts is that they help organisations to be aware of the threats out there, and to be able to take sensible precautions to prevent them from having an impact. We know that organisations acting on these broadcasts have seen dramatic reductions in the number of threats to their systems. To use the analogy of burglaries, Broadcast is about telling people that there are specific criminals in the area, and giving sensible advice about how to strengthen the protections in their home, protecting their belongings by ensuring that sensible security precautions are in place.
Organisations following broadcast advisories are effectively making sure that their doors and windows are locked and their valuables kept out of sight.

CareCERT Assure – CareCERT Assure is a free service designed to test organisation’s own cyber preparedness. It offers an individual assessment and the result is a report which will outline key vulnerabilities and provide a set of recommendations to reduce these risks to to technology and data. The report will also help organisations to decide where best to focus efforts and investment for the greatest return.

CareCERT React - CareCERT React is a support service to provide swift, professional guidance and advice in the case of a cyber security incident. It will provide specialist expertise to support organisations to take decisive actions to reduce the impact of any incident, as well as supporting organisations to bring the right expertise in to offer longer term support. CareCERT React has a team of specialist security advisors in place and offers both a helpline and, where required, an on-site service.

CareCERT Knowledge - CareCERT Knowledge is a new e-learning service relating to data/cyber security, information governance and information management. The aim is to inform health and care staff of their personal responsibility for data security and to support them to make sensible day to day decisions that help to protect information. The service will offer a range of levels of training so that there are modules suitable for staff who have no direct expertise in cyber security, along with modules which will offer advanced training for specialists.

We work on the basis that all of our services should be driven by the needs of health and care organisations, so we are always open to hearing additional ideas about what would offer the most support to health and care organisations.

What we aren’t here for is as a regulatory organisation, or to point the finger at organisations or to lay blame. We want to be a trusted advisor and to support organisations to protect themselves.

Our aim is to provide a responsive and supportive service and I would urge people to get in touch if they have any concerns about cyber security and think we could help or offer advice, regardless of whether we seem to offer a service that fits your exact needs. We are always happy to offer advice and we are committed to support health and care organisations to protect their systems and services, as a trusted advisor for cyber security issues.