The NHS’s appetite for action plans and strategies – frequently with a side order of task and finish groups, alongside a veritable buffet of governance structures – often seems insatiable. But when it comes to cybersecurity, the service is attracting flack for being too slow to get stuck in.
It is now a full year since WannaCry ransomware hit a third of England’s NHS trusts, not to mention 595 GP practices. Appointments were cancelled. Operations too. Some of the most severely-affected hospitals had to divert ambulances to other institutions. Formally speaking, the incident lasted a full week: NHS England declared a major incident on Friday 12 May 2017, and didn’t stand down its response until the following Friday.
Few healthcare professionals or NHS employees will have pleasant memories of that time. And so if there was a situation which warranted a good action plan, this would seem to be it.
There has certainly been no shortage of post-mortems. They began with a October 2017 report from the National Audit Office (NAO), which concluded the health service had failed to adequately respond to repeated warnings about cybersecurity.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” commented Amyas Morse, head of the NAO, at the time. “There are more sophisticated cyber threats out there than WannaCry so the Department [of Health and Social Care] and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
In was perhaps partly in that spirit that Will Smart – chief information officer for the health and social care system – penned his own review on lessons learned from WannaCry, published in February 2018.
It featured 22 recommendations; some relating to national action (the appointment of a national chief information and security officer and a dedicated cyber security lead, for instance) and some local (appointing a board lead on data security, and ensuring regular review of cybersecurity risks is consistently on the board agenda).
Ask members of parliament if they are pleased with the progress made against these recommendations, however, and the answer is a definite no. In February, members of the public accounts committee (PAC) heard that every single trust had failed assessments against the Cyber Essentials Plus Standard. Many failed simply because they had not patched software: despite this being a clear vulnerability that was exploited by WannaCry.
MPs also heard that there was no concrete picture of how much it would cost to implement Smart’s 22 recommendations – or, indeed, when they might be implemented. Meg Hillier, the chair of the PAC, characterised the situation as “alarming”.
Said the MP for Hackney South and Shoreditch: “Government must waste no time in preparing for future cyber-attacks – something it admits are now a fact of life. It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”
There is little doubt that there is a role for national NHS bodies to play here, not least through addressing finance issues (extra funding has been promised to bolster the health service’s cybersecurity efforts). But, equally, the service is not one organisation: it’s hundreds of individual ones, all with individual strengths and failings. And each will need to address its own literal and metaphorical cybersecurity weaknesses.
Patching is a sensible place to start, as is capitalising on the newly-announced national deal enabling all NHS organisations to use Windows 10. Smart’s suggestion that cybersecurity should become part of regular board discussions seems a valuable one, and something which should be relatively straightforward to address.
Deeper discussions need to be happening within IT departments, of course, and also involve chief clinical information officers. Some discussions might involve consideration of broader changes which could bolster cyber resilience, including a potential move to cloud and away from infrastructure and software which can become quickly dated and resource-heavy to update.
In June, the public accounts committee will once again play host to the national figures trying to improve the NHS’s cybersecurity. Whether they will by this point have developed an action plan to satisfy MPs remains to be seen. But the cyber risk is likely to intensify rather than go away, the need to bolster defences is undeniable, and much of the ability to take action lies in local hands.