Luis Louro - Fotolia

NHS urged to spend extra cyber defence funds wisely

The NHS has been urged to invest wisely in cyber defences after the government announced plans to increase data security funding by millions of pounds in response to the Caldicott review

The government is to boost investment in NHS data and cyber security above the £50m identified in the Spending Review to address key structural weaknesses, such as unsupported systems.

An initial £21m of capital funding will be targeted at increasing the cyber resilience of major trauma sites as an immediate priority, and improve NHS Digital’s national monitoring and response capabilities.

The additional funding is part of a package of measures to improve NHS cyber security, announced by the government in response to a review on data security and data sharing in the health and social care system by national data guardian Fiona Caldicott, published in July 2016.

The government has agreed to adopt and promote the 10 data security standards proposed by the Calidicott review and to adopt the Care Quality Commission’s recommendations on data security.

In addition to increased funding, the package includes measures to protect information through system security and standards, enable informed individual choice on opt-outs, sanction criminal and reckless behaviour, and to protect the public interest by ensuring legal best practice and oversight.

According to the government, in summer 2017 NHS Improvement will publish a new “statement of requirements” which will clarify required action for local organisations.

CEOs will be required to respond to this with an annual “statement of resilience”, confirming essential action to ensure that standards are being implemented. This will include the requirement for each organisation to have a named executive board member responsible for data and cyber security.

A new information governance toolkit, currently under development by NHS Digital, is scheduled to be in place by April 2018, and the Care Quality Commission will in future assess cyber security as part of its inspections.

Lessons learned

Will Smart, CIO of the health and social care system, has started a “lessons learned” review, to report in October 2017 and inform further action, the government said.

Immediate lessons have already been identified from the recent incident, including:

  • The need to ensure organisations implement critical CareCERT alerts, including software patches, and keep antivirus software up to date.
  • The need for organisations to identify and prioritise action to move away from or isolate unsupported systems.
  • Ensuring that organisations, their boards and their staff take the cyber threat seriously, understand the direct risks to frontline services and work proactively to maximise their resilience and minimise impacts on patient care.

“We can, and must, do more to ensure that organisations are equipped for the 21st century. This means being resilient to data and cyber threats, and using patient information safely and securely,” wrote Jeremy Hunt, secretary of state for health, and Lord O’Shaughnessy, parliamentary under-secretary of state for health, in the foreword to the response to the Caldicott review.

“Getting this right underpins our ambition of having a world-class health and social care system in the digital age. The global WannaCry cyber attack in May 2017 has reaffirmed the potential for cyber incidents to impact directly on patient care and the need for our health and care system to act decisively to minimise the impact on essential frontline services,” they wrote.

Serious threat

More than 200,000 computers in 150 countries were affected by the initial wave of the WannaCry ransomware. In the UK, the NHS was particularly hard hit. In England, 48 NHS trusts reported problems at hospitals, GP surgeries or pharmacies. In Scotland, 13 NHS organisations were affected.

Initially, the NHS attacks were linked to the continued use of Windows XP, an unsupported version of Microsoft’s operating system, in some devices and computers in parts of the NHS, but researchers later reported that, in fact, Windows 7 was worst affected and responsible for the wide and fast spread of the attack. According to Kaspersky Lab, the number of Windows XP machines affected was “insignificant”.

Malcolm Murphy, technology director for Western Europe at Infoblox, said that in the wake of wake of WannaCry and Petya, it is clear that the NHS is facing a serious cyber security threat with connected devices increasing and legacy operating systems often operating unpatched in medical equipment.

“However, hospitals now face the challenge of ensuring that they spend this money in the right places – cyber criminals are increasingly targeting every vulnerability they can – and they should now be operating under the assumption that it’s a case of ‘when’ the next cyber attack will happen, not ‘if’,” he said.  

While the NHS should definitely prioritise updating its operating systems, Murphy said to protect against another attack like WannaCry and Petya that exploits vulnerabilities in unpatched systems, the NHS also needs to ensure it spots a potential attack as fast as possible.

“Hospitals need to be investing in network monitoring measures, ensuring they are continually monitoring all possible endpoints for malicious activity to stay on top of the ever-present threat of attack,” he said.

Prioritise prevention

Paul Farrington, manager, Europe, Middle East and Africa, solution architects at Veracode, said the additional investment by government demonstrates just how crucial cyber security measures are to all industries, not just the healthcare industry.

“Our dependence on software means attacks like these, whether from cyber criminals looking to make money, or from those motivated by some political purpose, will only grow more frequent. We live in a time where our economy is tied to software, meaning a digital attack on an organisation like a hospital can have implications in the physical world,” he said.

Even if attacks are carried out with the sole objective of getting companies to pay a ransom, Farrington said the recent attacks demonstrate the deficiency in the way software and hardware is produced, which is something attackers are aware of and seek to exploit.

“While this investment is clearly a big step in the right direction, to truly combat the cyber threats to the NHS, the organisation needs a sense of purpose and leadership in this area. The money should not just be invested in helping promote and educate staff on better cyber hygiene. In an industry where the stakes are literally life and death, we must prioritise prevention over detection,” he said.

WannaCry investigation

As the government kicks off its plan to boost cyber security in the NHS, Parliament’s independent public spending watchdog, the National Audit Office (NAO), begins an investigation into the WannaCry attack.

According to the NAO, the investigation will set out the facts about the cyber attack’s impact on the NHS and its patients; why some parts of the NHS were affected and others were not; and the roles and responsibilities of key stakeholders and how they responded to the attack.

Anyone who would like to make a submission to the investigation is invited to contact the NAO using he following email address: [email protected].

The findings of the NAO investigation are expected to be published towards the end of 2017.

Read more about data security in the NHS

  • National data guardian Fiona Caldicott’s report on data security in the NHS recommends 10 new data security standards that will apply to all organisations holding health and care information
  • NHS IT managers think security measures in the NHS are stronger than they actually are, according to a study
  • Health and care organisations should not be afraid to acknowledge that cyber attacks will happen, but must be ready to handle breaches effectively, says CareCERT’s programme head

Read more on Hackers and cybercrime prevention

Data Center
Data Management