Significant improvements have been made to the cyber resilience of the health and care system since the WannaCry attack of 2017, but it still faces challenges, according to a progress update published by the Department of Health and Social Care (DHSC).
Over £250 million will be invested nationally to improve the cyber security of the health and care system by 2021. This excludes investment made by local organisations into their own cyber security and wider national IT investment - such as the Microsoft Windows 10 licensing agreement.
NHSX
The creation of NHSX in July this year, as a joint unit of DHSC and NHS England / Improvement (NHSE/I) will bring stronger strategic direction and enable the centre to more easily address systemic issues impacting cyber resilience.
NHSX will publish a Cyber Security Strategy for health and care in 2020. This strategy will provide an overarching framework for cyber security in the NHS and social care.
Windows 10 & ATP
The roll-out of Windows 10 and the provision of access to the Microsoft Defender Advanced Threat Protection (ATP) are both initiatives helping to address cyber security risks and vulnerabilities at local level by taking action from the centre.
ATP provides real time detection and protection against potential threats by identifying suspicious behaviour on devices indicative of a cyber attack. It means local organisations and NHS Digital can see cyber activity at machine level across the NHS, as well as whether machines have been patched to protect them from new cyber threats.
Over half a million NHS devices have now been migrated to Windows 10, which is more secure and significantly faster than Windows 7, thus saving staff time in delivering patient care as well as improving security
NHS Secure Boundary
In December, the NHS Secure Boundary will go live. This is designed to support the 'internet first' and 'cloud first' agendas that contribute towards NHSX's Tech-Vision and the Long Term Plan. The NHS Secure Boundary provides a cutting-edge perimeter security solution at no cost to NHS organisations. It will deliver additional security monitoring and prevention defences for the multiple internet connections in use across the system, providing visibility and control to local organisations so they can better manage their own risk.
Training support
Training support, education and communication for all staff around cyber risks is also now available. Board training was introduced in November 2018 and training for Senior Information Risk Owners (SIROs) was added in July 2019 - so far 170 boards and 61 organisations have taken this training respectively.
A national cyber communications and awareness campaign - 'Keep I.T. Confidential - aims to drive cultural change across all organisations by educating all NHS staff on the direct impact of data and cyber security on patient care and the steps they can personally take to reduce the risks of a cyber incident. Since its launch is September 2019 over 340 organisations have accessed the website and downloaded the material available.
High Severity Alert process
The learning from two CareCERT alerts in 2019 (BlueKeep and DejaBlue) has been used to develop and refine a High Severity Alert (HSA) Process Handbook. The new HSA process will be communicated more widely to ensure all organisations are aware of the steps they need to take and the deadlines for doing so in the event that a high-severity CareCERT alert is issued.
DHSC says one of its next steps will be to provide better guidance and information to the leadership of organisations in the NHS about how their organisations are doing, with metrics and information to give them an objective view of their own cyber resilience.
