rvlsoft - Fotolia
The Health and Social Care Information Centre (HSCIC) wants the health and care sector to be ahead of the game in cyber security. It aims to help front-line staff tackle potential breaches, and make its CareCERT programme the “trusted brand” for cyber security in the NHS and social care.
The centre first launched its care computing emergency response team (CareCERT) last autumn, with the full go-live in January 2016. The programme aims to enhance cyber resilience across health and social care by providing incident broadcasts, training and resources to health and care providers.
Dan Taylor, programme director for CareCERT, tells Computer Weekly it always wants to be “one step ahead” of cyber attacks, making sure all organisations in the health and care system are prepared, both in having secure systems and being trained to handle cyber attacks.
“The important thing is to keep health and care ahead of the game in terms of cyber security vulnerabilities,” he says.
Thinking cyber attacks will not happen is an outdated mentality in a digital world, says Taylor.
“Sometimes we shy away from being honest. It may not happen this year, it may not happen for five years, but do we really think, in a digital world, that it won’t happen?
“We shouldn’t be afraid of acknowledging that something may happen. It’s the simple thing that if you don’t prepare for it and you have the mentality that it won’t happen, you’re not prepared.”
The aim is that when an attack does happen, organisations are prepared and can reduce the likelihood of it having a major impact.
Tackling cyber security threats
CareCERT was set up under the Cabinet Office’s national cyber security programme, and although still fairly new, it is already making an impact.
Its main function is to consume threat intelligence information and guidance from a range of sources, triage the information, work out if there is a threat and the likelihood of impact on the organisation facing the threat, says Taylor.
Depending on the likelihood of impact, CareCERT will issue a broadcast, the type of which varies according to the level of risk.
“If we believe there is high risk, we will issue the broadcast there and then, after the right governance is in place, which we normally get in four hours,” he says.
“The broadcast will say there is vulnerability in one of the threat vectors, why it is impacting your organisation and the action that organisation needs to take.”
If there is a medium-level threat, which may not have that great an impact, the programme will send out a weekly broadcast with information and guidance. If the threat is low-level, information will be put into an information-sharing portal, which is currently being trialled.
“We have to make sure we don’t bombard health and care and put a burden on them,” says Taylor. “The reason we triage in that way is so they know when they get a high-severity broadcast from CareCERT, they know it means something and there is a reason to take action.”
Read more about cyber security in health and social care
- NHS IT managers think security measures in the NHS are stronger than they actually are, according to a Sophos study.
- A US hospital reveals that, after a week of being offline, it caved into ransomware demands to restore access to its computer systems.
HSCIC will not manage incidents that happen ad hoc within the system, because cyber security needs to have local ownership and accountability.
If you take the accountability away from people, they may not take the right steps, says Taylor, but adds that CareCERT is there to support them. Should there be an incident affecting multiple organisations, CareCERT has an escalation path, together with its partners and the Department of Health.
“We will work out the plan on how to manage this and will spring into action against that plan, work with those contacts and hopefully brings it to successful remediation,” he says.
Since CareCERT went live, early statistics from two case studies – which Taylor says he cannot name – have shown that the programme already makes a difference.
The two case studies, both in the East Midlands, have looked at the infection rate before CareCERT broadcast and in subsequent months, and the results have shown that the number of unique infections fell dramatically.
“Similarly, we had a threat that came in from our Cert-UK partners, and the first one we had seen that was health and care-specific,” says Taylor. “It was about malware trying to attack health and care and there were some organisations that had been affected, but after we sent the CareCERT broadcast out, the effect dropped to inconsequential.”
One of the biggest challenges when it comes to cyber security is people, says Taylor. “You’ve got people, processes and technology – and we must focus on our people more,” he says.
That is where the information-sharing portal comes in. The portal aims to encourage people to understand their personal responsibility for data security, and is where all guidance and best practice will be issued.
The HSCIC is working with Health Education England to develop content for the portal, which will go live next month.
“We are going to start off with the arm’s length bodies within the Department of Health because it’s a controlled environment, and then we’re going to roll it out nationally to health and care,” says Taylor.
“The secondary phase is to introduce it to health and care with a number of organisations across different spheres and then more formally towards the end of summer.”
Taylor says people need to understand their personal responsibility and that information governance and security in a digital world is very different from the paper-based world that NHS and care organisations are moving away from.
“In the digital world, integrity and availability are equally important,” he says. “If you make a mistake on a clinical record on paper, that mistake is once, but if you make a mistake digitally, it’s there for ever.
“So we must focus on the idea that the integrity of information is paramount and what we are trying to do with the online training portal is the link between cyber security and patient outcomes.”
Information governance training is already mandatory, and the HSCIC is working to tie in cyber security with it to create a rounded learning platform.
HSCIC has also run a course aiming to create cyber security champions to take responsibility locally.
“We are enabling local organisations and local ownership, so they can do more,” says Taylor. “It’s not a top-down approach.”