In October, the National Audit Office published their findings into the WannaCry Cyber attack and how it impacted the NHS in England. NHS Providers director of development and operations Ben Clacy looks at how the NHS needs to safeguard its IT estate for the future.
Following May’s well documented cyber attack the National Audit Office’s report gives us a valuable opportunity to look at just what the NHS in England needs to do to minimise the risk of future cyber attacks. Overall the report is clear there is significant work to be done but it is important to remind ourselves this cyber attack was not focused on the NHS alone; it affected organisations across the globe including many large multinationals. Cyber security is, or should be, a major risk for any organisation and to think it isn’t is to underappreciate the global significance of this very real threat.
Cyber security is, or should be, a major risk for any organisation and to think it isn’t is to underappreciate the global significance of this very real threat.
Having said that it is, of course, important to understand this in an NHS context and to look at just what needs to be done to nullify future attacks as much as is possible.
Infrastructure
There are three main areas here to focus on. The first and the most obvious place to start is the current state of our NHS infrastructure. Here we already come across some significantly complex issues as there is clearly not one single infrastructure that we need to review or update but hundreds of separate entities with their own complex infrastructures developed over many years. Once you start to look at some of the detail within our devolved delivery system within the NHS it continues to get more complicated.
For example, there are 231 trusts in England, each of which will have their own IT infrastructure running many complex activities across a variety of operating systems. Looking at those operating systems alone you can see issues with access and the ability to upgrade, an example being that many medical devices are still running on an embedded version of Windows XP. In some instances, it will be almost impossible to upgrade. If you then multiply this by the number of trusts in England and add in the fact that large numbers of those have wide-ranging estates and geographies then the complexity of the situation quickly builds.
Need for investment
This then brings us onto the second area that requires focus – the need for investment. Across the NHS the real need for capital investment has been highlighted quite clearly. Technology is a particular concern. Taking into account the first point around the complexity of the infrastructure across the NHS there is clearly a lot of work to be done in understanding just what this capital investment needs to focus on. The requirements will be complex as outlined above and there will be a need for trusts here to work closely with NHS Improvement, NHS Digital and NHS England to balance the need for investment across localities and centrally. There may be very different needs for example in a major trauma centre compared to a community services provider, but both will equally need investment. The key here is for a balanced approach that takes into account local and national needs focussing on required infrastructures for now and the future whilst also ensuring we improve cyber security itself.
Across the NHS the real need for capital investment has been highlighted quite clearly. Technology is a particular concern.
Lastly, there remains a need to maintain our focus on business continuity. One of the overriding memories of the hours and days after WannaCry struck back in May was the way in which it demonstrated just how good the NHS is at dealing with major incidents. Indeed this was one of many such reminders through 2017. What was less well seen through this particular incident was the work going on behind the scenes by our NHS IT teams to both support immediate frontline care and rectify the situation those trusts affected found themselves in.
It’s important to reiterate just how good the NHS is at this as whilst there is much we can do to improve our IT infrastructure and our cyber security, it will at some point again be breached. This isn’t a fatalist mentality; more a realistic view as cyber threats are developing so quickly there is no way of ensuring we are always a step ahead. There undoubtedly will be attacks that get through in the future. Because of this, it is imperative we remain prepared for this eventuality and continue to understand what more we could have in place for the next time this happens.
There undoubtedly will be attacks that get through in the future. Because of this, it is imperative we remain prepared for this eventuality and continue to understand what more we could have in place for the next time this happens.
Learning lessons
Wrapped around all three of these areas there is also a need to understand what lessons there are to learn in communicating incidents such as this. We need to understand how best we communicate within the system, locally regionally and nationally and move away from a reliance on email. The attack also showed there needs to be a clearer way in which we communicate with the public, again both at a local and national level. Work on this has begun and if done well will help considerably in the way in which future incidents are dealt with.
The attack also showed there needs to be a clearer way in which we communicate with the public, again both at a local and national level.
Dealing with these areas of focus will be no mean feat and will need considerable resource, some of which is not necessarily readily available within the NHS at the moment. Within our constrained financial world, even with the recently announced budget plans, this will not be easy. What is clear is that more cyber attacks will come. For the NHS to ensure it can deal with this ever present threat we need to undertake these three areas of focus as swiftly and comprehensively as possible.
This article was first published by Public Sector Focus