Towards a More Resilient and Cyber-Prepared Approach
By Sean Walsh, Director, Operations & Assurance Services, NHS Digital
Our role here at NHS Digital is to gather known threats and intelligence and broadcast them appropriately across health and care organisations, along with advice about how to mitigate such threats. It is then each individual organisation’s responsibility to act on that advice. We also help health and care organisations respond to cyber-attacks quickly and effectively in order to minimise impact on patients and staff.
Back in May, the Wanna Decryptor malware spread across the world infecting machines in over 150 countries. This was an international attack on an unprecedented scale that affected a wide range of sectors across the globe. Though most NHS organisations should and do have solid cyber security measures in place, it served as a stark reminder that no system is completely impenetrable.
The NHS responded admirably to the situation. Doctors, nurses, and backroom professionals pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible. But as with every challenge, there is always more we can learn.
Most NHS organisations, whether trusts or GP practices, followed NHS Digital’s guidance and put “patches” in place to protect their systems. Only a small number of NHS organisations were actually infected by the ransomware, but news of the cyber-attack spread quickly and resulted in unaffected services closing their systems down as a precaution. This resulted in some patient records, appointment systems and medical equipment becoming temporarily inaccessible.
We need to invest in people, across all disciplines, because data security isn’t just a technology issue or just something the ICT team have responsibility for
Across health and care, it’s important that we all work collaboratively. Getting it right the first time is great of course, but after such an event, it is fundamental and the lessons we and the wider system have learnt will make us more resilient and cyber-prepared.
NHS Digital created the Data Security Centre to support our staff and the services they deliver to ensure we secure the data of our patients. Since the attack happened in May, we have continued to listen, learn and to offer support and services to frontline organisations and to our colleagues in other national bodies. We are working closely with provider organisations to ensure that we listen to their experiences and use this feedback to strengthen our services.
We need to invest in people, across all disciplines, because data security isn’t just a technology issue or just something the ICT team have responsibility for. Leadership is key in ensuring data security is embedded across an organisation, we all have a part to play but those in senior roles can have a significant influence to make sure that things are put in place sooner rather than later.
For example, you wouldn’t leave your front door unlocked, but not having a secure password on your computer is the cyber equivalent to doing just that. We need all staff to take some basic and sensible steps to keep digital information safe. Good cyber security is the responsibility for every member of staff in an organisation, and good ‘cyber hygiene’ is as important and can be as straightforward to implement as good hand hygiene in a hospital.
Security starts on the front line, not in the IT department. Does everyone have basic training in cyber security? Do they understand their personal responsibility to keep data safe? This ‘cyber hygiene’ includes simple things such as keeping passwords safe and changing them regularly; never letting anyone other than the named person use a Smartcard; not clicking on unverified links; keeping mobile devices safe and secure; and ensuring that individuals log off or lock screens when they move away from a device.
Every single device needs to be patched with the latest software. IT provided by CCGs and Commissioning Support Units is ultimately their responsibility and should be maintained by them, but if GPs have bought other software themselves, for example telephone systems that run on PCs, then that’s their responsibility. You can’t just install something and forget about it - particularly if it’s connected to your network.
While filters remove the majority of malicious emails, occasionally one gets through, so we all need to be sensible and ask ourselves ‘Was I expecting this email? Does it make sense? Does the sender normally send an email like this?’ If the answer to any of these questions is ‘no’, then don’t open it, and don’t click on any links within suspicious emails. Don’t get tempted to look. “If in doubt - block it out”. Hover the mouse over the link and you’ll see where it’s directing you. If it’s not what you were expecting, you’ll know it is spam, and you should report it to your local IT team immediately so others won’t receive it.
Service Driven Technology
Les Ottolenghi, EVP & CIO, Caesars Entertainment
Addressing Cyber Security Strategically
David L Stevens, CIO, Maricopa County