NHS Digital Academy hailed as ‘important mechanism’ for cyber security

The NHS Digital Academy will be a “really important mechanism” for improving cyber security within the organisation, NHS England’s CIO has said.

Will Smart was summoned to speak to at NHS England’s board meeting on 8 February to discuss his ‘lessons learned’ review of the WannaCry cyber-attack, which took place in May 2017.

Smart’s report, which was released last week, lists 22 recommendations for the future, including the appointment of a chief information and security officer (CISO) and a dedicated cyber security lead across the entire English NHS.

The board’s newly-appointed national medical director, Professor Stephen Powis, brought up the topic of the NHS Digital Academy and how it could benefit cyber security.

The academy, which opened its doors for applications in November, aims to train 300 NHS digital leaders over the next three years.

Smart confirmed to the board that the first ‘cohorts’ of the academy have been selected and are made up of clinicians and non-clinicians.

“The Digital Academy is a really important mechanism and can take cybersecurity that one step further,” Smart added.

Another recommendation was for local boards to appoint a data security lead. Members questioned whether cyber security was seen as enough of a priority by NHS trusts.

Vice chairman and commissioning committee chair, David Roberts, questioned if trusts had “got the message” of the importance of the issue and whether it was being taken seriously enough.

Roberts also asked what was being done to ensure the NHS’ “weak spots” would not be exploited by hackers again.

In response, Smart reiterated that impact assessments have been carried out at 200 organisations since the WannaCry attack, with a further 25 scheduled “between now and the end of the financial year”.

The impact assessments were brought up at the Public Accounts Committee earlier this week, with NHS Digital’s deputy chief executive Rob Shaw confirming that all of the 200 trusts inspected had failed.

Smart told the board that a “high bar” had been set for the assessments and that if they failed one section, they were automatically failed overall.

“We are only as strong as our weakest link,” Smart said.

“I have not spoken to every chief executive within the NHS, but the ones I have spoken to are taking cyber security very seriously.”