The health and care sector must ‘up its game’ and improve its cyber security ‘hygiene’. So says a new White Paper on NHS cyber security presented at the House of Lords.
The paper (written by a team from Imperial College London’s Institute of Global Health Innovation and led by Lord Darzi ) makes clear the NHS is still vulnerable to cyber-attack and needs to step up its efforts to protect itself from future attacks.
Increasingly new digital technologies are used in healthcare. Artificial intelligence, networked devices, wearable devices and robotic surgery – all have the potential to transform healthcare. But this means huge quantities of sensitive data are generated and with that comes “enormous risks” .
And we know there is value in patient data: in a recent EY article, Pamela Spence writes that NHS patient data is “a valuable intangible asset desired by multiple stakeholders, a treasure trove of information” and estimates that it has a market value of £10bn.
The report reminds us that cyber security is not just about protecting data, it is fundamental for maintaining the safety, privacy and trust of patients. It is only three years since the WannaCry attack compromised IT across the NHS, highlighting the vulnerability of the health and care system.
The research team, who collated evidence for the report from NHS organisations, make a number of observations for healthcare providers and commissioners to implement in order to increase cyber resilience.
In broad terms, these initiatives include “employing cyber security professionals in their IT teams, building ‘fire-breaks’ into their systems to allow certain segments to become isolated if infected with a computer virus, and having clear communication systems so staff know where to get help and advice on cyber security”.
The report looks at what makes the health sector particularly vulnerable – they have identified five areas:
- Finance: investments to cyber security are not given priority
- Workforce: untrained staff constitute (unintentional) internal threats
- IT infrastructure: outdated and unsupported systems and medical devices increase NHS vulnerabilities
- Cyber security specialists: inefficient incident response capabilities exist due to lack of specialists
- NHS structures: complex structures hinder fast and efficient responsiveness in the face of cyber attack
Securing cyber resilience
It is hoped that the launch of NHS X on 1 July will help to streamline the national cyber security accountabilities for the NHS. Among its responsibilities, NHSX will mandate cyber security standards to ensure all organisations within the NHS family have security protocols from inception. It is also hoped that it will help NHS IT teams implement any national and local protocols.
- The NHS has achieved much in the way of increasing cyber resilience, accountability, new investments and incident response mechanisms.
- Cyber security needs to be viewed as a threat to patient safety and not just an IT issue.
- As healthcare relies more technology, the risk of cyber disruption will significantly increase unless appropriate actions are taken.
- Ensure your staff are "cyber aware and receive proper training so that they are able to combat rather than contribute to cyber security risks in the workplace".
Do get in touch with Stuart Knowles, Jill Weston or Claire Williams if you require support with your cyber security policies and procedures.