CASE STUDY: It’s 8am and IT is in for a tough day…

Published: 20-May-2021
Digital

Cheshire and Merseyside Health and Care Partnership asked Gemserv Health to put together a scenario-based cyber security exercise that started with some bad news, but uncovered a lot of useful information

It’s 8am and it is as a nice day - until you turn on the radio.

The news has just started, and the lead story is that a video has been released showing a group of NHS leaders making worrying remarks about a COVID-19 vaccine.

They seem to be suggesting that safety issues are being covered up, and the share price of the vaccine maker has crashed 10% overnight.

The phone then starts ringing and it’s a press officer wanting to know what IT is going to do about this leak, or fake, or whatever it is…

Cyber attacks spread, fast

This is the scenario that greeted 22 heads of IT in Cheshire and Merseyside earlier this year.

It was constructed by Gemserv Health, with input from Cheshire and Merseyside Health and Care Partnership, to find out how the integrated care system would respond to a cyber-security incident.

Paul Charnley, digital lead for the ICS, explains that commissioners, councils, hospitals and other providers in the area have their own policies and procedures in place. But the ICS does not have an overarching response that was tested and ready to use.

We have worked on our strategy and then we have moved to manage our supplier market and our procurement teams to buy in harmony with that

“NHS Digital has a data protection toolkit that requires every organisation to plan for and rehearse its response to a cyber attack, but one of the things that we learned from WannaCry is that a cyber incident can impact a large geography, very quickly,” he said.

“We need to be able to co-ordinate.”

He adds: “The exercise that we ran really brought that to life.

“It was very salutary and very helpful, and it has given us a lot to think about.

“We have learned a lot since WannaCry, but we are in an arms race with the hackers, and we’ve still got more to do.”

Learning lessons

WannaCry was the worldwide ransomware attack launched in May 2017.

It didn’t target the NHS, but the National Audit Office estimated that 34% of trusts in England were impacted anyway.

One reason was that the NHS employs a lot of people; with 1.3 million staff and it had a lot of malicious emails to contend with.

Another was that WannaCry spread through older, unpatched Windows systems; and the NHS had a lot of those in computers and medical devices.

However, a third problem was that there was no co-ordinated fightback.

The NAO reported that the Department of Health had been working on a plan, but it hadn’t been tested at a local level, so ‘it was not immediately clear who should lead the response and there were problems with communications’.

We have learned a lot since WannaCry, but we are in an arms race with the hackers, and we’ve still got more to do

And some trusts couldn’t be reached by email ‘because they had been infected by WannaCry or had shut down their email systems as a precaution’, leaving a mix of switchboards, mobiles, and WhatsApp as the only way through.

Only as strong as the weakest link

IT leads in Cheshire and Merseyside wanted to do better.

“After WannaCry, we swore that we would work more closely together, under the tagline: ‘we are only as strong as our weakest link’,” said Charnley.

So the 22 heads of IT in the area agreed to standardise their policies and procedures, and to pool any funds made available by the NHS, to make the money go further.

Cheshire and Merseyside HCP is now working with NHS Digital on a target cyber-security architecture and on a procurements process to deliver the strategy.

This has enabled individual organisations to work to a standard on one of two security information and event management systems: one medical device protection product; and one single sign-on product to give staff secure access to clinical and administrative systems.

“We have worked on our strategy and then we have moved to manage our supplier market and our procurement teams to buy in harmony with that,” said Charnley.

“Gemserv has supported both the policy and the business models.”

Finding the gaps

Cheshire and Merseyside HCP is now better protected against a cyber attack than it was five-years ago; but the mantra of cyber security is not to ask ‘if’ a cyber incident is possible, but ‘when’ one will occur.

The scenario-based exercise was designed to find out how ready the ICS is to deal with an attack; and whether IT leaders across the patch are clear about who will lead the response and how they should communicate with each other.

Before COVID-19 arrived, the ICS had been looking to run a physical event, but, because of the pandemic, it moved to Microsoft Teams.

And five virtual breakout rooms were set up for organisational teams to use, and the scenario was fed to them.

Unfortunately, the attackers only need to be successful one time in 100, whereas the defenders need to be on their game 100 times out of 100, so it’s an unequal game of cat and mouse

As the event went on, the teams also received ‘injects’ of information to take the scenario in a different direction and test their ongoing responses.

They got some ‘good’ news: the video didn’t feature local executives and was instead a ‘deepfake’.

They also received some ‘bad’ news: one of the executives who had been deepfaked had also been spear phished.

His email and that of his contacts had been targeted and a route was open for a ransomware attack.

Not if, but when

Charnley said that, on the day of the cyber scenario event, years of hard work in Cheshire and Merseyside paid off.

IT teams were able to mount a more-co-ordinated and coherent response to the Gemserv scenario than they were to WannaCry.

They also had better tools to use.

However, the exercise showed there were gaps to fill.

The area turned out to be short of some specific cyber security expertise out of hours.

Paul Charnley

Paul Charnley

And there were still questions about how decisions would be made that were big enough to require sign-off from Government departments in London or the NHS’s central bodies in Leeds.

It emerged that health and local authority incident response planners needed a cyber playbook to put alongside the playbooks they have for dealing with train wrecks, chemical spills, or even nuclear incidents.

Gemserv Health is now helping to write one, and when it is ready, Charnley wants to test it by running the exercise again.

“Gemserv told us that the military builds things and then attacks them,” he said.

“It costs millions of pounds and we don’t have that kind of money, but we can learn a lot this way.

“I want to do this every six months – certainly every year – and I think every ICS should be planning to do the same.

“I’d definitely encourage others to follow this model and this approach.

This was the first time a cyber breach and response scenario of this kind has been done at ICS level in the NHS

“We wanted to work with an external partner because it’s easy to be insular or to play to your strengths in these exercises.

“Having an external view was very helpful. It gave us a lot of things to think about.”

Staying on top of the game

Prior to the event, Gemserv used its expertise in working across many different public sector and private organisations to create a policy and process document for Cheshire and Merseyside HCP to adopt.

It liaised with the ICS’s leaders and NHS Digital to develop a bespoke and realistic multi-pronged scenario.

“This was the first time a cyber breach and response scenario of this kind has been done at ICS level in the NHS,” said Andy Green, Gemserv’s chief information security officer.

“We went from looking at a damage-limitation perspective to a malicious insider to a full-blown cyber attack.”

NHS colleagues from other ICSs around the country also took part, to consider their own emergency preparedness procedures.

“It’s a continual challenge to stay abreast of what’s happening and it’s an asymmetric problem, unfortunately,” adds Green.

“Unfortunately, the attackers only need to be successful one time in 100, whereas the defenders need to be on their game 100 times out of 100, so it’s an unequal game of cat and mouse.”

  • Companies:
  • Liverpool Heart and Chest Hospital
  • Alder Hey Childrens Hospital and Trust
  • The Walton Centre NHS Foundation Trust
  • The Clatterbridge Cancer Centre NHS Foundation Trust
  • Countess of Chester Hospital
  • Bridgewater Community Healthcare NHS Trust
  • Southport and Ormskirk Hospital NHS Trust
  • East Cheshire NHS Trust
  • Mersey Care NHS FoundationTrust
  • Liverpool Womens NHS Foundation Trust
  • St Helens and Knowlsey Hospitals NHS Trust
  • Mid Cheshire Hospitals
  • Warrington and Halton Hospitals NHS Foundation Trust
  • Wirral University Teaching Hospital NHS Foundation Trust
  • Wirral Community NHS Trust
  • North West Ambulance Service NHS Trust
  • North West Boroughs Healthcare NHS Foundation Trust
  • Liverpool University Hospitals Foundation Trust
  • Gemserv Health
See more

You may also like

Digital

Integrated technology improves Mersey Care NHS Trust's mental health services

Read more
Access HSC integration between Rio electronic patient record (EPR) and Elemental social prescribing software has improved mental health services

Trending Articles

  1. Nuance announces availability of Ambient Clinical Intelligence AI-powered ambient solution already improving physician productivity, patient throughput, and 88% higher physician satisfaction scores
  2. Standing up for health tech and SMEs: Shane Tickell’s vision AS the new chair of the health and social care council at techUK, Shane Tickell talked to Highland Marketing about his determination to support small and innovative companies, by having some frank conversations with the NHS and the health tech industry about strategy and commercials
  3. GIANT Health 9-10 December 2024 | Hybrid Conference | London, UK
  4. Scanning for safety - the rise of RFID in healthcare Exploring how RFID technology is supporting hospitals to improve patient outcomes and drive efficiencies
  5. Building Better Healthcare Awards 2020 and 2021 - the winners are announced Find out who picked up the coveted trophies in this year's double ceremony

Upcoming event

HEFMA Leadership Forum

8–10 May 2024 | Conference, exhibition and awards | Telford, UK See all

You may also like

Digital

Integrated technology improves Mersey Care NHS Trust's mental health services

Access HSC integration between Rio electronic patient record (EPR) and Elemental social prescribing software has improved mental health services
NHS

Movie Magic Coming to Children and Young People at Liverpool’s Alder Hey Children’s Hospital

The charity MediCinema, Alder Hey Children’s Charity and the Alder Hey Children’s NHS Foundation Trust have announced a new partnership to create a state-of-the-art cinema inside the children’s hospital
Digital

West Midlands to transform cancer diagnosis across 17 trusts

Speed and accuracy of diagnoses improved following digital pathology go-live with Sectra
Digital

Alder Hey launches ‘one-stop shop’ mental health platform

First-of-a-kind app provides a single point of access to young people's mental health services
Finance

AdviseInc wins nine ICS contracts

Leeds Teaching Hospitals NHS Trust and Liverpool University Hospitals NHS Foundation Trust the latest to work with healthcare technology supplier to achieve greater value from procurement data
Digital

Mersey trust first site to go live with game-changing system integration

Mental health provider to integrate Access HSC’s Rio EPR and Elemental social prescribing software
Digital

COVID continues to drive digital transformation of health services

Gemserv research reveals patients welcome increase in digital services
Subscribe now