2020 vision – are NHS boards clearly sighted on cyber security?

by Tony Cobain

16 January 2020

Boards and chief information officers need to start talking the same language

Well it’s the new year and I apologise for the corny title but it does seem somewhat fitting.

We’re nearly three years on from the WannaCry ransomware attack (that’s the last time I’ll mention it, I promise). I’d argue that the tech community has moved significantly forward in its efforts to tackle cyber security, but there is often still a disconnect between the techs and their boards on cyber issues.

Why is this still the case – did the W-event not teach us anything?

We’ve seen the crippling impacts of that and other cyber attacks and we know we are putting more and more technology into our healthcare environments to support frontline delivery of care. It’s no longer just payroll and ledgers, we have artificial intelligence engines directly supporting clinical decision making and we have robotic surgery. In fact, technology underpins all of the ‘ologies’, as Maureen Lipman would have said.  So why haven’t we fully addressed the issues?

Well, first of all, it needs to be understood that there is no silver bullet. Cyber security isn’t simply an issue that IT teams can ‘sort’. It’s not a technology risk, it’s a business risk and it needs to be recognised as such by the board.

And that’s where the problem lies.  As a technical community, we are generally more comfortable talking about malicious threat actors, kill chains and weaponising (we do love a military simile, it makes us feel important). But the board simply won’t understand; and that’s not a criticism. If the medical director starts talking about the impact of acute viral rhinopharyngitis and acute coryza on staffing and activity, his board colleagues will be equally nonplussed. As the saying goes ‘we are both fluent but in very different languages’.

To get over this, we can start by understanding that knowledge and intelligence isn’t a competition. We bring different skills and insights to the board table, but these are only valuable if we can all understand them. And we can only do this by talking the same language – the language of risk!

All NHS boards have been offered, and most have received, free training by NHS Digital setting the scene around cyber risk and board responsibilities and the NAO cyber security and  information risk guidance  for audit committees includes key questions to be asked  However chief information officers (CIOs), or similar, must maintain the board’s interest by describing the cyber threat in the context of what it means for the organisation and the services it provides.

For example, we are not worried about the risk of ransomware encrypting computers and attached devices, but the risk that clinical care processes will be compromised by the unavailability or corruption of systems and data. What is the impact if CT and MRI scanners are disabled in a major trauma centre? Or if diagnostic data is corrupted and incorrect results are returned. Or, worse still, what happens if that network connected surgical robot goes haywire mid operation!

These are the real risks to the organisation. They can be triggered by cyber events and everyone needs to understand that, but leave the tech talk in the IT department. Everywhere else, let’s keep it all plain and simple and easily understood so that cyber risks can be discussed on a level playing field alongside risks relating to nurse staffing levels, winter pressures, hospital acquired infections, and even financial pressures.

So, board members and governors go into your organisations and challenge your CIO around cyber risk. Make sure you are getting regular risk reports. Make sure that they are understandable and don’t be afraid to query them. 

Challenge them on the organisation’s data security and protection toolkit submissions. And ask about the skills and capacity available to meet the cyber security challenge. Finally, accept that if a cyber risk is red rated in your risk register, you should treat it accordingly. And remember, the attackers are always one step ahead of the defenders and in this game there is no offside and no VAR.

Oh, and by the way, acute viral rhinopharyngitis and acute coryza are apparently clinical terms for the common cold!

The HFMA has been working with Oracle to consider examples of new enabling technologies and how digital transformation might best be approached as set out in Driving digital transformation in the NHS. The HFMA Governance and Audit Committee is currently looking at governance of IT and digital issues and is keen to hear from members on any particular areas or outputs that would be of help -please contact lisa.robertson@hfma.org.uk.