- New strategy sets out five key ways to build cyber resilience in health and care by 2030
- Strategy will protect health and adult social care functions and services
- Move is part of Government’s commitment to build a stronger, more-sustainable NHS for the future
Patients will benefit from bolstered protection to the nation’s health and adult social care services as a new cyber security strategy for England is published today.
The Cyber Security Strategy for Health and Adult Social Care sets out a plan to promote cyber resilience across the sector by 2030, protecting services and the patients they support.
It will ensure services are better protected from cyber threats, further securing sensitive information and ensuring patients can continue accessing care safely as the NHS strives to cut waiting lists.
The announcement comes as technology is transforming how people access health and care services and information.
Currently more than 40 million people have an NHS login, helping them to book appointments, track referrals, and order medications online.
And over 50% of social care providers now use a digital social care record, helping staff to share vital information about the people they care for.
Harnessing the power of technology
However, as digital systems are adopted to improve services, the sector has become a target for cyber criminals.
Health Minister, Lord Markham, said: “We are harnessing the power of technology to deliver better, safer care to people across the country. But, at the same time, it’s crucial we’re also bolstering the defences of our health and care services.
“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future.
“This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”
With over half (54%) of security professionals in the healthcare sector believing organisations are held back by the limitations of their existing cyber security infrastructure – overhauling legacy systems and bolstering security measures is imperative
Since the WannaCry cyber attack in 2017, which caused significant financial loss of more than £20m and service outages across the NHS, healthcare organisations have increased the number of cyber defence and response tools at their disposal.
Trusts now benefit from a direct link to NHS England’s Cyber Security Operations Centre (CSOC), providing real-time protection of any suspicious activity to approximately 1.7 million devices across the NHS network.
And around 21 million malicious emails are also blocked every month.
Response and recovery
The new vision includes five key pillars to minimise the risk of cyber attacks and other cyber security issues, and to improve response and recovery following any incidents across health and social care systems including for adult social care, primary, and secondary care. These include:
- Identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function
- Uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimising disruption
- Building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognised, and relevant cyber basics training is offered to the general workforce
- Embedding security into the framework of emerging technology to better protect it against cyber threat
- Supporting every health and care organisation to minimise the impact and recovery time of a cyber incident
A full implementation plan will be published in this summer setting out detailed activities and defining metrics to build and measure resilience over the next 2-3 years.
National cyber security teams will also work closely with local and regional health and care organisations to achieve the visions and aims of the strategy.
This work will include enhancing the NHS England CSOC, publishing a comprehensive and data-led landscape review of cyber security in adult social care, and updating the Data Security and Protection Toolkit (DSPT) to empower organisations to own their cyber risk.
Welcoming the publication, Douglas McKee, principal engineer and director of vulnerability research at Trellix, said: “The healthcare industry is a core part of our critical infrastructure, entrusted with protecting lives and patient data.
“Despite this, healthcare systems are often outdated and run on legacy software, meaning they are an easy target for threat actors and are particularly vulnerable to attack.
“In fact, our recent research has found the healthcare sector has become the most-prominent ransomware target, representing 16% of global attacks in Q4 2022.
Given the cost of the average cyber specialist is increasing, and resources are in much-shorter supply, it’s often very difficult for the NHS to fund the cyber protection it needs
“A successful breach could have a devastating impact on the healthcare industry, with the potential to compromise sensitive patient data or prevent healthcare professionals from providing necessary care.
“Amid rising risks, it is therefore crucial for healthcare organisations to enhance their security practices.
“With over half (54%) of security professionals in the healthcare sector believing organisations are held back by the limitations of their existing cyber security infrastructure – overhauling legacy systems and bolstering security measures is imperative.”
And Jonathan Bridges, chief innovation officer at Exponential-e, said the Government must set aside adequate funding to support NHS organisations in improving their cyber security.
He told BBH following publication of the strategy: “It’s very difficult for the NHS to prioritise spend on new technology. That’s why its systems have become outdated and vulnerable in many cases, and why the Government’s new strategy to protect the NHS from attack is so urgently needed.
Informed knowledge of cyber risk at an operational level, and how that risk could impact the quality of treatment, is fundamental to making sure patient care is never compromised in the event of attacks
“Budget is a big reason why current approaches are failing.
“Often it’s capital based, and the public sector’s ability to increase operational budgets is challenging, but modern-day security services are considered operational. So, given the cost of the average cyber specialist is increasing, and resources are in much-shorter supply, it’s often very difficult for the NHS to fund the cyber protection it needs.
“Investment in cyber education is equally important to raise awareness of its crucial role in frontline services.
“Advising operations leads to identify where their critical data is stored, where their vulnerabilities lie, and what tactical and strategic protection is needed to fix those vulnerabilities and stifle attacks, is a must.
“That informed knowledge of cyber risk at an operational level, and how that risk could impact the quality of treatment, is fundamental to making sure patient care is never compromised in the event of attacks.”