BCS publishes cyber security blueprint for NHS
- 29 June 2017
The BCS says lack of NHS accountability and investment in cyber security measures were to blame for the widespread disruption caused across the health service by the Wannacry virus.
In a new report, the BCS argues that the healthcare sector has struggled to keep pace with cyber-security best practice and with a systemic lack of investment.
The new report outlines a ‘blueprint’ on future NHS cyber security, arguing the NHS “failed to keep pace with cyber security best practise with a ‘systemic’ lack of investment”, and that “some parts of the NHS lacked access to trained cyber security professionals.
The opening of the blueprint states. “It is not acceptable that where good practice exists, it is not used – especially where lives are put in danger. This is a systemic issue, and we need a systemic solution”. The central recommendation of the blueprint is to build a community of trained practitioners to ensure known best practice is applied in cyber security.
It states, “Cyber security threats affect every part of society; including the entire public sector, corporations small and large, everywhere that computer systems are used. However, the role the NHS plays in our lives and the nature of the threat to it puts this as the first priority.”
In the report, the BCS says some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital boards that computer systems were fit for purpose.
BCS policy director David Evans said: “Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability…”
The BCS has partnered with Microsoft, IBM, BT, the RCN, the Patient’s Association, NHS Wales, BT and Microsoft to produce a blueprint that outlines the steps NHS trusts should take to avoid future attacks being so disruptive.
Top of the BCS list is ensuring there are standards for accrediting relevant IT professionals. They argue the number of properly qualified and registered IT professionals, and cyber security experts, needs to be increased.
NHS boards are urged to ensure they understand their responsibilities, and how to make use of registered cyber security experts.
The document states: “We have been in contact with those working inside and out of the public sector, our colleagues working on relevant NHS policy and academic experts. We have the start of a broad coalition of organisations that wish to work together to build a cyber-safe NHS.”
The document adds, “we are looking to eliminate the threats from poor practice, and create a supported professional community”.
National Audit Office cyber security expert Tom McDonald last week published a post stating “The NHS was vulnerable to this malware largely because its software was old and hadn’t been ‘patched’ against a known vulnerability. In other words, this was an avoidable problem.”
A three-year draft roadmap is provided by the BCS for creating a ‘cyber safe NHS’ which centres on training and accrediting more cyber security professionals in healthcare. Other priorities identified include ‘inducting boards’ on cyber issues, and commissioning original research.
Underpinning the roadmap is an accompanying pledge to work together with partners in a collaborative fashion.
“I believe it is right to recognise the good work done in preventing the attacks and everyone who had worked tirelessly to minimise disruption,” said Andy Kinnear, chair of BCS Health and Care.
“We need to build on that with collective input from those who care about protecting the public from cyber threats. That’s why I support the Blueprint for Cyber Security in Health and Care.”
The report can be found here
5 Comments
Seems like a way to promote itself and its services. Sure skills are highly needed in cyber security, but certification and accreditation aren’t the silver bullets that will prevent attacks.
BCS is a charity, with a royal charter and it is governed by it members. It exists to ‘promote the study and practice of Computing and to advance knowledge and education therein for the benefit of the public’ – in short to Make IT Good for Society.
Information and technology is no longer just enabler, it is fast becoming core to the delivery of health and care services. Whilst a certificate or registration is no guarantee that some one will carry out their job effectively or to the highest standard it does provide a mechanism for assurance.
When information and technology is applied in settings which quite literally are life or death, we should welcome measures that help to ensure the highest standards are applied to keep the public safe.
Another exercise in job creationism.
This will go the same way information governance took data sharing.
So it’s really a blueprint for career professionalisation and not a blueprint to prevent cyber incidents?
David, the blueprint is setting out a collective responsibility to ensure that industry wide cyber security standards are applied to protect the public from the threat of Cyber Attacks – that includes, but is not exclusive to, having accountable IT professionals working to professional standards, applying best practice technical standards, being accountable and empowered to ensure that their organisations and communities are protected from Cyber threats.
The role of people, be it IT professionals, NHS Boards or wider NHS workforce is critical in the fight against harm from Cyber threats.
Comments are closed.