New Cyber Strategy for the NHS

In March, the government set out a new strategy to protect the NHS from cyber attacks. HB looks at what it involves

The government has announced that it will provide a plan to promote cyber resilience across the health and care sectors by 2030 and protect services and patients.
The plan aims to ensure that services are better protected from cyber threats, further securing sensitive information and ensuring patients can continue accessing care safely as the NHS continues to cut waiting lists.
The aim is for all health and social care organisations to achieve cyber resilience no later than 2030.
Through good cyber security, it is hoped that organisations are better able to manage their cyber risk; organisations are better able to protect their patient, service user and staff data: organisations can more quickly respond to and recover from a cyber attack; and people’s trust in the digital systems is increased, so technological innovations can be applied with confidence.

Cyber resilient health sector
In a foreword to the strategy, Phil Huggins, national chief information security officer and Mike Fell, executive director of national cyber operations said: “In an increasingly digitised health and social care service, patients and service users remain at the core of our vital work helping create a cyber resilient health and social care sector to 2030. While every health and social care organisation must take responsibility for its own cyber security, with national cyber security teams setting direction and providing central support, we must work as one across the system to further cyber resilience to improve the safety of the people we care for.
“Although our cyber defences have improved over the past years and especially since WannaCry in 2017, we know we still have further to go. The 5 pillars in our strategy focus our approach on the most important risks to our most critical systems, while growing our cyber workforce so that we can better tackle threats in the long term.”
The strategy acknowledges that healthcare is more digital than ever before. Over 40 million people now have an NHS login and over 50 per cent of social care providers now use a digital social care record.
According to the Department of Health and Social Care, progress has been made in recent years, and the sector is now much better protected than it was at the time of the WannaCry cyber attack in 2017.

Cybersecurity as part of care
The strategy also recognises that cybersecurity – protecting devices, services and networks and the information on them from theft or damage – is an essential enabler of providing care and ensures the safety of patients and their information.
In secondary care, devices and systems that need protection include diagnostic machines such as imaging scanners and systems that let hospitals know which beds are free, while in primary care this includes patient booking systems, call and recall facilities, and electronic prescription services.
NHS trusts now have a direct link to NHS England’s Cyber Security Centre (CSOC), which provides real-time protection of any suspicious activity to approximately 1.7 million devices across the NHS network. As well as this, around 21 million malicious emails are also blocked every month.
Health minister Lord Markham said: “We’re harnessing the power of technology to deliver better, safer care to people across the country - but at the same time it’s crucial we’re also bolstering the defences of our health and care services.
“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future.
“This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”
The strategy sets out different areas of responsibility: health and social care organisations are responsible for their own cyber security; national cyber security teams are responsible for setting direction and providing central support; and ICSs are responsible for bolstering the cyber resilience across their area.
However, a unified and collaborative approach is key to improving sector-wide cyber security.

The new strategy includes 5 key pillars to minimise the risk of cyber attacks and other cyber security issues, as well as to improve response and recovery following any incidents across health and social care systems including for adult social care, primary and secondary care.
The five strategies cover identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function; uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimising disruption; and building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognised, and relevant cyber basics training is offered to the general workforce. The remaining two are embedding security into the framework of emerging technology to better protect it against cyber threat and supporting every health and care organisation to minimise the impact and recovery time of a cyber incident.
The five pillars explained above are listed as: focus on the greatest risks and harms; defend as one; people and culture; build secure for the future; and exemplary response and recovery.
The desired outcomes for pillar 1 by 2030 are: a common understanding of risks and how they may vary is shared across the sector; visibility of the attack surface is increased; cyber security mitigations are proportionate to the threat and potential harm; and powers under NIS regulations are clearly understood and used proportionately to address cyber risk and improve resilience of the most critical organisations. This will be achieved by creating a common language for measuring and recording cyber risk; developing and improving national capabilities to maximise sharing of information, services and products across the sector; and gathering data using national systems to build a system-wide threat picture, setting out proportionate mitigations for key risks and harms.
The desired outcomes for pillar 2 by 2030 are: health and social care organisations work in partnership on their cyber security, sharing data, learning and resources to improve sector-wide resilience; threat intelligence and detection across the NHS is co-ordinated nationally for rapid response and alerting; national teams set clear expectations of leaders and boards on the organisational risk they are held accountable for and implications for the wider sector if those risks are realised; and leaders and boards make full use of available services to respond to the greatest risks and harms to their organisation. This will be achieved by making clear roles and accountabilities to cyber risk across the sector; collaborating with partners across government, the care sector, commercial third parties and academia as well as across local organisations to ensure alignment and share learning and providing central support to cyber security initiatives aligned with national and government priorities.
For pillar 3, the desired outcomes by 2030 are: cyber security is recognised as a vital profession within health and social care; the NHS attracts and retains a diverse cyber security workforce; a ‘just culture’ for cyber regulation is championed across the system; and everyone understands their role in ensuring good cyber security and acts accordingly. To achieve this, national and regional cyber security teams will: clearly identify roles and responsibilities to manage cyber risk, making clear that cyber security is essential to patient and service user safety; embed cyber security decisions into multi-disciplinary national and regional forums to ensure a holistic cyber security culture; and deliver on a plan to grow the cyber workforce and embed a cyber profession across both the health and social care sectors, including in developing career pathways for cyber.
The desired outcomes for pillar 4 by 2030 are: organisations understand emerging risks and how to manage them; the critical supply chain risk is managed and resilience is increased across the critical health and social care supply chain; new services, support and standards are secure by design; and standards, underpinned by the CAF, are clear, understood and aligned. This will be achieved by working flexibly to adapt as new threats and requirements emerge, including developing horizon-scanning functions to anticipate future threats and opportunities; developing engagement with our most critical suppliers, not limited to software providers, to assure their cyber security; and developing pathways to improve communication with and across critical suppliers when responding to a cyber event or vulnerability.
Finally, the desired outcome for pillar 5 by 2030 is that national, regional and local responses to a cyber incident minimise the impact of a cyber attack on patient and service user care. To achieve this, national and regional cyber security teams will: publish expectations for incident response and reporting; lead on national incident response ‘dry run’ exercising, applying and developing plans for responding to and recovering from, a cyber attack; work with the NCSC to manage the technical response to a sector-wide attack.
The full implementation plan is set to be published in summer 2023 and will outline the detailed activities and defining metrics to build and measure resilience over the next two to three years.
National cyber security teams are also set to work with local and regional health and care organisations to achieve the visions and aims of the strategy. This includes enhancing the NHS England CSOC, publishing a comprehensive and data-led landscape review of cyber security in adult social care, and updating the Data Security and Protection Toolkit (DSPT) to empower organisations to own their cyber risk.

The strategy outlines the threats that the health and social care sector resists every day: phishing and other malicious emails; automated scanning for common software vulnerabilities; and attempted fraud.
The most significant cyber threat is identified as ransomware. The strategy explains that this is used in profit-seeking attacks, very often staged by organised criminal groups. However, the increasing proliferation and commercial availability of ‘ransomware as a service’ means that attacks are no longer limited to sophisticated groups.
Ransomware attacks can lead to the complete loss of clinical and administrative IT systems, which in turn, results in disruption to health and social care services, such as postponed operations, diverted ambulances and forcing staff to use paper-based contingency measures without access to electronic health records.
Research by the US Cybersecurity and Infrastructure Security Agency (CISA) showed that US hospitals that had suffered a ransomware attack were more likely to suffer worse health outcomes, including increased mortality.
However, ransomware attacks are increasingly being used for data theft and extortion with the threat of data leaks.
Other potential threats include state actors seeking to access sensitive information, or people working in or near to the health and social care sector seeking to misuse their privileged access.
The listed threats pose a risk to patient and staff safety, as well as to public trust in the system.

Though the NHS is in a better position to defend against cyber attacks than previously, some challenges still remain. Some challenges are the same as those faced by other sectors, including recruiting and retaining a workforce with the right skills, adapting to new technology and moving away from legacy devices. However, other challenges are particular to the health and social care sectors, including the size and complexity of the system, its geographic distribution across the nation and the layered nature of its governance.
High operational pressures mean it can be challenging to prioritise finite resources to address competing risks, priorities and pressures in a sector with varying working environments and high operational demand with many systems required to run 24/7. This has been exacerbated by pressures caused by the pandemic.
The size and diversity of the sector means it is difficult to set standards that can apply universally.
Supply chain vulnerabilities are also a factor that needs to be taken into account. Providers use many suppliers, and these suppliers have their own supply chains, creating multiple layers of risk.
Unclear accountability means health and social care leaders may find it difficult to dedicate time and resources to their organisation’s cyber security.
As well as this, a UK-wide shortfall of cyber professionals means it is difficult to hire and retain the experts needed to improve cybersecurity.
New digital, data and technology mean it can be challenging to ensure the cyber security of new products. On the other hand, legacy technology can be challenging to monitor and replace as it becomes outdated and more vulnerable to cyber attacks.
Lord Markham said: “Our vision and aims are ambitious and will require engagement at all levels of the health and social care sector. We must build and maintain this engagement in the shared understanding that cyber security is a foundational business need that we must prioritise if we are to ensure patient and service user safety.”
Huggins and Fell added: “Our strategy to 2030 will allow us to work flexibly and adaptively in response to a changing world. Our Cyber Futures programme will take the lead, bringing forward important initiatives to make the 5 pillars of the strategy a reality. We are committed to publishing a detailed implementation plan to illustrate the progress.
“This strategy and the operations underpinning it directly support and enable better health outcomes. Improved cyber resilience will assure availability of services, protect valuable data, and build patient and service user trust in our systems. This is an ambitious body of work, but working collaboratively across the system we can have a genuine impact on people’s safety and wellbeing in assuring the vast and varied digitised care and support services provided across the sector.”