NHS Digital enhances in-house cyber awareness drive

NHS Digital has relaunched a new cyber security awareness campaign to help staff across the health service understand more about current security threats and how to reduce their overall risk of being compromised.

Following a successful first launch in 2019, the refreshed Keep IT Confidential campaign is the brainchild of NHS Digital’s Data Security Centre and has been designed from the ground up to help the various organisations that make up the NHS to develop and implement their own cyber security awareness campaigns at a time, and in a way, that suits them best.

“Taking small, simple steps such as setting a strong password and keeping your screens and devices locked when they’re not in use, are vital for the NHS and patient safety,” said NHS Digital CISO Neil Bennett.

“Considering cyber security in your day-to-day lives can make a huge difference and help to keep ourselves and patients protected online and in our workplaces.

“We know how busy NHS staff are, so we want to help them understand the importance of cyber security and how it can benefit their working lives in a quick and simple way.”

The online toolkit can be downloaded for free to help health sector organisations learn more about “common sense” security practice and the impact that good security hygiene can have on patient safety. It includes guidance on setting secure passwords, locking devices when not in use, and spotting and mitigating phishing, email scams and social engineering attacks, among other things.

It also covers some aspects of physical building security, such as tailgating, where a malicious actor follows a staff member close behind through a door or security barrier to gain access.

Newly added features include modules on data security, and being aware of the implications of oversharing information, especially in a healthcare setting.

NHS Digital’s in-house cyber unit offers a range of services to the healthcare sector, from virtual perimeter security to vulnerability scanning and assessment, risk assessment provided through BitSight, incident support and more besides, such as frequent updates for hospital IT teams covering subjects such as new threats and vulnerabilities, or systems that need patching.

It also played a key role in the establishment of the Cyber Associates Network (CAN), which was set up two years ago in partnership with NHSX. CAN is a peer-led group of cyber experts drawn from across the health and social care sector, who come together to network, develop professionally and share knowledge around improving their organisations’ security without compromising on patient safety. It now has well over 1,000 members.

Although hospitals around the world have been frequently targeted by malicious actors during the Covid-19 pandemic, the NHS has largely avoided any major public incidents, a fact some put down to the legwork done by the health service in the wake of the 2017 WannaCry incident.

In the past few years, various requests made under the Freedom of Information Act by third parties have shown that the NHS has seen a reduction in the number of phishing emails it receives, fewer ransomware incidents, and has improved its security staffing levels. As of the end of 2020, it employed twice as many in-house security practitioners as it did in 2018.