NHSX could transform NHS security capabilities

The health sector is increasingly confident that NHSX can deliver a streamlined, effective cyber security policy for the health service

Since its launch earlier in 2019, NHSX has kicked off a number of initiatives in areas such as screening, mental health and patient data, and stakeholders are increasingly confident that the new digital strategy unit will have a transformative effect on the NHS’s cyber security capabilities, according to Saira Ghafur, digital health lead at Imperial College London’s Institute for Global Health Innovation.

Speaking at a Westminster E-Forum event on cyber security, Ghafur said oversight of cyber security in the health service badly needed to be streamlined. “NHS Digital, NHS England and others have all had cyber security accountabilities that make it very difficult for frontline organisations to respond,” she told the audience. “There is a lot of hope in NHSX bringing this together and streamlining capabilities.”

NHSX, which is run by Matthew Gould, a former Cabinet Office cyber security head who also helped to set up the UK’s General Data Protection Regulation (GDPR) implementation when at the Department for Digital, Culture, Media and Sport (DCMS), brings together responsibility for policy, implementation and change in digital, data and technology across the health service in England.

Ghafur said there are multiple factors that made keeping on top of basic cyber security hygiene harder for NHS organisations. These include a wider lack of investment and, by inference, more legacy, insecure infrastructure; huge quantities of sensitive personal data; multiple users and stakeholders with conflicting demands and interests; and complex interdependencies between the clinical departments within the NHS that the average patient will touch on their journey through the system.

Many of these may be addressed by Gould’s five key delivery missions for NHSX, which he explained to Computer Weekly in a July 2019 interview.

These are: to reduce the burden on clinicians and staff to let them focus on patients; to give people the tools to access information and services directly; to ensure clinical information can be safely accessed wherever needed; to help improve patient safety in the NHS; and to improve NHS productivity through digital technology.

In the light of the difficulties faced by the NHS in its security posture, said Ghafur, it was perhaps not surprising that the WannaCry ransomware attack had had such a deep and long-lasting impact on the health service. However, she noted, the NHS has made “significant capital investments” in security since then, including upgrades to Windows 10, and the launch of a cyber security assessment toolkit.

Ghafur highlighted several key changes that would help the health service improve its security posture, many of which are outlined in a whitepaper recently published at Imperial and co-authored by herself.

Read more about security in healthcare

“We need increased investment,” she said. “The NHS only spends 2% of its annual budget on IT, compared to 4-10% in other sectors, so if we are to completely digitise the NHS, we need a lot more money to replace infrastructure and secure the devices and equipment we have.

“We also can’t compete with other sectors in terms of attracting cyber security professionals – we need to work with the industry to attract them into healthcare – and all NHS staff need better education in terms of risks.”

Ghafur added: “There is lots of exciting new medical technology coming into play, but we need to make sure it is secure, and at the minute we don’t have minimum cyber security standards, and that needs to be looked at.”

Read more on Security policy and user awareness

Data Center
Data Management