Boards should appoint lead on data security, NHS England review suggests
- 5 February 2018
Organisations should appoint a board lead on data security and consider suspending IT access for any executive who fails to complete annual cybersecurity training, NHS England’s chief information officer has suggested.
Will Smart makes the proposals in his “lessons learned” review of the WannaCry attack, which hit 35% of NHS trusts in May last year and led some to divert ambulances from their A&E departments.
The paper includes 22 formal recommendations, many of which are changes at a national level – including the appointment of a chief information and security officer at NHS Digital.
But there are also several requests made of local organisations. And while the paper makes clear suspension of access is not “formally” recommended in the event of non-completion, it does state cybersecurity training should be made mandatory for all board members.
It also says boards must “regularly review” cyber security risks, and appoint a member to lead on data security issues.
Among the other recommendations related to local NHS organisations are:
- Ensuring all staff have “regular and targeted cyber and information security awareness training appropriate to their job role”
- Developing a local action plan to ensure compliance with the government’s Cyber Essentials Plus standard by June 2021
- For NHS provider bodies, ensuring compliance with the new Data Security Protection Toolkit – to be available from April 2018 – and providing NHS Digital with details of compliance by March 2019
- For CSUs, taking responsibility for coordinating a cyber response across primary care and CCGs
- Ensuring disaster plans include cybersecurity, and that they assess the impact a loss of IT services would have on the healthcare system
- Ensuring that contracts with IT suppliers “factor in and budget for” keeping software up-to-date, including security patches
The paper, which will be considered at this week’s NHS England board meeting, emphasises “action is required” to ensure sufficient IT staff are in post to support systems within organisations.
It suggests that pooling of resources will be critical in the event of a cybersecurity incident, and envisages sustainability and transformation partnerships as being a means of doing this.
On funding, the paper details that the additional £21m made available after WannaCry – used to address “key vulnerabilities” in major trauma centres and ambulance trusts – was diverted from the Personalised Health and Care 2020 programme.
This is the national scheme designed to ensure the NHS becomes paperless at the point of care.
The review goes on to describe a “rigorous reprioritisation exercise” as being underway across the whole NHS IT portfolio. The stated aim is to identify additional cybersecurity investment between 2018/19 and 2020/21.
2 Comments
I agree with the recommendations but isn’t that what the Senior Information Risk Officer is supposed to do? Cyber-Security is one important aspect of Information Governance, albeit one which in some Trusts may not have received sufficient attention in recent years, overlooked by SIROs and delegated down to the lower levels of IT management who have little influence over spending plans..
According to the IGT, “The SIRO is an executive who is familiar with and takes ownership of the organisation’s information risk policy, acts as advocate for
information risk on the Board.”
In the context of the IGT, Information Governance includes “Security incidents: unauthorised access to, tampering with or use of ICT systems, electronic attack, including denial of service and malicious software (‘malware’) attacks (viruses, worms, Trojan horses); ”
As is so often the case in the NHS, the issue isn’t a lack of policies and guidance but a yawning gap between policy and common practice.
You can nationally procure as many cyber systems as you like, you can make board level responsibilities for Cyber Security, you can send NHS organisations weekly carecert emails detailing all kinds of Ransomware and generic recommendations, you can sign deals with Microsoft, you can make recommendation after recommendation but if you don’t have Cyber “Soldiers” on the ground to actually implement these things, then none of it counts.
In my opinion each NHS organization should have a dedicated Cyber Security role (in the same way that IG has) who is responsible for implementing all the actual cyber defenses (not drafting policies – actually applying technical solutions).
Until then, IT Departments will struggle to give it the focus it requires while balancing that against other pressures.
Do they realise how many man hours it takes to patch hundreds of virtual servers, thousands of Desktops, hundreds of network switches, blade servers, applications such as Adobe reader, flash player, shockwave, Office, Java, etc) Mobile devices, Firewalls, VPN systems, web browsers, etc etc. Considering that many of these patches are released every month and most NHS organisations use their systems 24/7, this is a massive task for under resourced IT departments to absorb.
I actually agree with most of the recommendations and I think we’re moving in the right direction, I just think that its too top heavy and local organisations are not being appropriated represented or funded in the fight against Cyber Threats.
Comments are closed.