It is widely perceived that the NHS has had a troubled history with digital transformation and information technology. That’s why last year many incorrectly jumped to the conclusion that a cyberattack had been launched against the health service and subsequently labelled it “the NHS cyber attack”. In fact the WannaCry ransomware attack affected various companies ranging from Telefonica to Deutsche Bhan: the NHS was simply one of many victims.
But while the NHS was not the only organisation to suffer from the attack, its experience was unique. Delivering healthcare services, at scale, with the regulatory and funding constraints of the public sector, meant the NHS needed a distinct response to the WannaCry incident. Fortunately, and in part thanks to the dedication of NHS staff, the attack had a limited impact on services and acted as a dress-rehearsal for potential larger attacks. A year on we need to review how much progress the NHS has made.
Fortunately, and in part thanks to the dedication of NHS staff, the attack had a limited impact on services and acted as a dress-rehearsal for potential larger attacks.
What has already happened?
Across the system we now have a better understanding of the issues and challenges associated with cyber security. Since last year’s attack, we have had three national reviews, from the Public Accounts Committee, the National Audit Office, and NHS England, as well as the Government’s response to the Caldicott review. The incident certainly acted as a catalyst for raising awareness of the issue of cyber security.
The national leadership of the NHS has prioritised the delivery of various infrastructure programmes. Chief among these initiatives is the recent Microsoft deal to bring in Windows 10. This operating system is more robust than its predecessors and should allow trusts to more easily detect viruses, phishing and malware. Alongside this NHS Digital has gone to market for a new NHS cybersecurity centre that will coordinate and take responsibility for NHS-wide cyber defences. In terms of funding, £21m has been allocated to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts, while a further £25m of capital funding was set aside in 2017/18 to support trusts that were non-compliant against high severity CareCERT alerts. Whilst these initiatives alone are not enough for trusts to adequately protect themselves from future threats, they are welcome, particularly given previous national sclerosis.
In terms of funding, £21m has been allocated to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts.
At local and regional levels, progress is being made to work more closely together on cyber security. There are good examples of sustainability and transformation partnerships (STPs) developing joint incident response plans as well as coordinating investment and procurement. In addition to this, NHS Digital has implemented CareCERT Collect, which requires all NHS bodies to report within 48 hours on action they have taken on high severity CareCERT alerts. Closer working and collaboration is a positive step towards better management of cybersecurity.
What still needs to happen?
One of the key themes that came out from the national reviews was leadership, at both the national and local levels, and in particular at board level. Local and national leaders need to stand up and take cybersecurity seriously, rather than simply seeing it as a cost pressure. NHS England’s head of architecture, Inderjit Singh, went as far to suggest that cybersecurity is a board issue not a technology issue. There is variation in the quality of cybersecurity leadership across the country, and in some cases it has almost been non-existent. NHS England’s recommendation that boards should appoint a lead on data security is the right one. But an even more important development has been the establishment of the NHS Digital Academy, which will produce and train 300 digital leaders across the NHS over the next three years. This is an important step towards cybersecurity, and digital health more generally, becoming more prominent during board discussion. Developing the NHS’ digital leaders is a continuing process and we can’t afford to lose momentum.
Local and national leaders need to stand up and take cybersecurity seriously, rather than simply seeing it as a cost pressure.
While there has been a lot of work diagnosing the issues, we still need to follow through on the multitude of recommendations that have been produced. Only last month, the Public Accounts Committee stated its concern at the lack of agreement on how to implement lessons learned. The £20m NHS cybersecurity centre, which had formed a key part of the national response, has been delayed and looks far from being launched. But recommendations also need to be followed through at local level. For example, there needs to be more work undertaken by trusts with suppliers to ensure infrastructure is up to date. More broadly, the system needs to tackle the barriers which undermine its ability to act at pace; we know another attack is inevitable so all need to operate at speed to build resilience.
The system needs to tackle the barriers which undermine its ability to act at pace; we know another attack is inevitable so all need to operate at speed to build resilience.
Ultimately, however, a commitment to investment is needed to back up any progress that can be made. It was widely reported that one recommendation from NHS England’s initial review would cost £1bn alone. The £21m capital funding for major trauma centres and ambulance trusts was diverted from the paperless 2020 agenda programme: it does not represent new money. We know trusts’ access to capital funding more generally has been sub-optimal and the WannaCry attack simply provided a very stark demonstration of how dangerous under-investment is. In this context, genuinely new funding would be more effective for trusts who need to invest in order to take forward the lessons learned.
We know trusts’ access to capital funding more generally has been sub-optimal and the WannaCry attack simply provided a very stark demonstration of how dangerous under-investment is.
On the anniversary of the WannaCry attack, we can confidently point to the areas of cyber security where the NHS needs to improve. But the next attack is question of “when” not “if”. Across the system the NHS needs to support and develop leaders who will be able to take forward the multiple recommendations that have been produced. This won’t work without adequate funding which trusts currently struggle to access. Progress has been made over the last twelve months but we can’t afford to lose momentum.
This article was first published by National Health Executive on 7 June 2018.