Smart review recommends national chief information and security officer appointment

A chief information and security officer (CISO) and and a dedicated cyber security lead should be appointed as national figureheads, according to review into WannaCry.

A soon to be published lessons learned review, authored by NHS England’s CIO Will Smart, lists 22 recommendations including the appointment of a CISO.

The review states the role will work alongside the Department of Health and Social Care, NHS England, NHS Improvement and NHS Digital “to lead on the cyber and security agenda nationally.”

“The role will lead national cyber working groups, help inform policy and drive improvements and standardisation,” the review adds.

In addition, Smart also recommends that NHS Digital appoints a dedicated cyber security lead “working across NHS England, NHS Improvement and other partners such as local government in each of the NHS England regions (North, Midlands and East, London, South East and South West).”

The role will involve working closely with the national CSIO, NHS Digital and local heads of cyber and information security.

Another recommendation included in the review is that “NHS Digital proactively publish guidance about the CareCERT service” – a service designed to offer support to health and social care organisations so they can safely respond to cyber security threats.

Smart says that in the longer term this will mean “NHS Digital should have the ability to isolate organisations, parts of the country or particular services in order to contain the spread of a virus during an incident.”

He also recommends that NHS England should work with partners to develop potential scenarios so that it can manage multiple attacks, for example if there was a terrorist bombing attack combined with a cyber attack.

Smart’s review has revealed that £21m invested in improved cybersecurity last year was “reprioritised” from funds intended to support the paperless NHS.