Cybersecurity a leadership issue for NHS Boards, not a tech issue
- 8 December 2017
NHS England’s head of architecture said there must be a unified front on cybersecurity from NHS board members for there to be any meaningful change following WannaCry.
Speaking in Birmingham on Thursday at Digital Health’s Public Cyber Security Conference, Inderjit Singh said moving cybersecurity to the top of board-level agendas should be the focus of the NHS’s efforts in building technical resilience.
He warned that failure to do so would guarantee a repeat of the events that crippled NHS services in May.
Key to this is moving the cyber conversation from being an IT issue to one concerning leadership, said Singh.
“WannaCry brought home the fact that this is a business continuity issue, not a technology issue. It has front-line implications for services, and front-line implications around disruption to services. In terms of board level engagement and conversations around cyber, we need to drop the term cybersecurity and more talk about business continuity.”
While he said there had been “good discussions around technologies and approaches”, Singh said there had been “hardly any focus” yet on cybersecurity at board-level.
He referred the National Audit Office’s (NAO) investigation into WannaCry and a report by the National Data Guardian in September, which highlighted the need for the NHS to create cyber-leadership roles across the organisation and establish better communications between departments.
“This is an area that has significant immaturity at all levels: regional, national and local. We need to take a system-wide approach around this,” Singh said.
“We want to create a network of leads who can talk about best practice and when issues are arising, and share that knowledge and understanding. At the moment, it feels there are people taking on those responsibilities because there aren’t other people to do that…For the board, this is where the biggest gap and effort is required.”
The NAO report said the extent of WannaCry’s impact on the NHS was in part down to its reliance on outdated software, with many organisations running Windows platforms no longer supported by Microsoft.
The investigation concluded that the infection could have been stemmed had NHS organisations followed basic IT security principles. “It was clear we could have prevented it,” said Singh.
“It was a known vector, it was a vector that wasn’t particularly complex, and one that could have been addressed several months previous. This wasn’t about new and sophisticated technology, it was about how we didn’t put the basics in place to mitigate these.”
However, Singh acknowledged there had been “significant under-investment” in the NHS in terms of basic IT. “We are far away from industry standards such as Cyber Essentials Plus,” he added.
Rather than throwing money into new products, Singh said the focus instead should be directed toward “doing the basics right.” However, he reiterated that this was not an issue which sat solely within IT departments. “This was never an IT risk,” he said.
“If we don’t get this understood, we’re going to carry on playing with consoles and pretending it’s a technology issue.”
Singh outlined the need for health and social organisations to demonstrate an adherence to basic data security standards, and suggested there be “clear asks and requirements” of NHS boards.
“Do you know this is what the NAO already expects you to do? Do you have a clear framework? Do you understand cyber mitigation? Do you have the skills and training to do that?”
“What this means is, as a board, you need to care. The board-level conversation can’t be ‘this sits with IT’. If the only answer is to sort out IT, it clearly hasn’t been established as a business continuity risk.”
3 Comments
Timberland 6 Inch Zwart
Facing transactions you have to know when you ought to end and move your money out. Although it may seem like a good idea to risk, you do not would like to threat a lot of money on something that you can clearly see is not really doing work. Cut your failures and move on to some thing profitable.
https://www.notarisluijten.nl/images/buy2/23440-timberland-amsterdam.jpg
Come up with a expression or phrase out from the initials in the terms you are trying to remember. A timeless instance is Roy G. Biv. It is composed of the first words of the colours within the rainbow. Red, orange, yellow, blue, indigo, and violet are usually there within your memory not only by label but by order too!
https://www.royale-t.nl/images/tru2/18284-stan-smith-blauw-39.jpg
spam
Owen Hughes Senior Journalist Digital Health
T 020 7785 6977 M 07771 641433 E owen@digitalhealth.net W http://www.digitalhealth.net
FOLLOW US [facebook] [linkedin] [twitter in circle]
Cloud Summit 24 January 2018, 9:00am-5:00pm
[1512728552640_cloud_sig.jpg]
This one-day conference will provide senior healthcare leaders, including CCIOs, CIOs and other decision makers, with referenceable insight from the NHS and partners into how to successfully deploy cloud based services in UK healthcare.
I absolutely agree that this is a business continuity issue sitting within the over-arching Emergency Preparedness Resilience and Response framework, rather than an IT issue. As a patient, I cannot readily access clinical services if there is a major IT outtage – especially in a Trust which has a paperless or paper-lite environment.
Viruses and the like have been around for decades (a company I worked for in 1990 was severely disrupted by the Stoned virus) but we still don’t seem to get the basics in place all the time.
The current NHS England Business Continuity Management Framework hasn’t been updated since 2013 and the IT scenarios given are simple ones such as service disruption due to network cables being dug up by contractors. There is also an implication that if an organisation has achieved level 2 on the IG Toolkit all will be well.
In my experience, Trust Boards often take assurance about Resilience from audits which compare the local arrangements with the NHS England framework. If Inderjit’s sensible recommendations could be included in an updated framework, this would get them into the formal organisational governance process where they could not be ignored.
Comments are closed.