Securing access

On 12 May 2017, many NHS managers’ nightmares became real. They had always said it was a case of when not if the health service would be the subject of a cyber attack and sadly that prediction proved correct. While there are questions over the service’s vulnerability pre-attack, the immediate response was good and over the past 10 months there have been efforts to increase investment and raise awareness of the dangers. But how well prepared is the NHS for the next attack?

While the world of cyber attacks can be a difficult one to understand, it is clear by the (some would say confusing) number of reports, standards and initiatives introduced since last May that Whitehall wants the NHS to act quickly to secure its data.

Cyber security is an issue of governance, with oversight from the national regulators, but it is also a financial issue, with the government recognising the need for investment while also warning that it could fine those organisations that are not up to standard.

Some IT experts believe the NHS got lucky with Wannacry – it hit on a Friday, minimising the number of operations and outpatient appointments affected, while a UK-based IT researcher was able to identify and use a kill-switch quickly, limiting the impact of the virus.

Even so, in England 603 primary care and other organisations, including 595 of the 7,454 GP practices, were affected. There are no reports of harm to patients, though operations and appointments were postponed, five trusts diverted patients away from their emergency departments and some experienced issues with their diagnostic imaging machines. More than 1,200 diagnostic machines with vulnerable operating systems were affected directly by Wannacry, with others disconnected to prevent the infection spreading.

In the immediate aftermath of the attack, the health service’s vulnerability was blamed on a lack of funding and outdated operating systems that had not been patched – received a software fix. This particularly focused on Windows XP. However, the attack was not made against old, unsupported software but against unpatched devices – most of those affected were running an unpatched Windows 7 operating system, according to William Smart, chief information officer for the health and social care system in England.

At the time of the attack, around 4.7% of NHS devices used Windows XP, but this fell to 1.8% in January 2018. With support for Windows 7 operating system due to end in 2020, the Department of Health and Social Care has urged organisations to review their systems and take action.

NHS Digital had introduced a system, known as CareCert, to alert trusts and the wider NHS to threats and help them respond. But none of the 80 trusts affected by Wannacry had implemented a Microsoft patch to address the vulnerability exploited by the virus, despite an alert issued by CareCert more than two weeks before the attack. Even without the patch, Mr Smart says stronger security within the N3 network (the NHS broadband network) would have mitigated against infection.

NHS Digital has introduced a further system, CareCert Collect, which requires trusts and commissioning support units (on behalf of clinical commissioning groups) to report on action taken to mitigate high-severity CareCert alerts – for example, by implementing security patches or updating anti-virus software.

The government has formally accepted the national data guardian’s 10 data security standards. These aim to ensure confidential personal information is handled securely and organisations proactively prevent breaches – for example, by ensuring technology is up to date. Mr Smart says adherence to the 10 data security standards would have significantly mitigated the impact of Wannacry.

Extra funding

There is also additional funding. The board responsible for the £4bn Personalised health and care 2020 technology programme reprioritised £21m in capital for 32 major trauma centres and ambulance trusts to upgrade firewalls and network infrastructure and support transition from outdated hardware and operating systems. This will minimise the risk to medical devices, such as MRI scanners, and improve anti-virus protection.

Another £25m of capital funding has been allocated in 2017/18 for organisations that have self-certified they are not compliant against high-severity CareCert alerts.

A further reprioritisation process is looking at NHS IT budgets to identify additional funding between 2018/19 and 2020/21 – so far £150m has been found for investment in local and national systems to improve monitoring, resilience and response. However, the Department says local organisations must commit capital and revenue funding to maintain and refresh their own IT estates and ensure they are using operating systems that are supported with updates or patches.

On-site cyber assessments have identified that most NHS trusts need capital investment in areas such as upgrading firewalls, improving network resilience and segmentation – separating vulnerable systems from the main network – to minimise the risk to medical equipment.

The government also plans to introduce fines of up to £17m for organisations that provide critical services – including some NHS bodies – but do not meet the European Union cyber security standards. The directive, known as the Network and Information Systems (NIS) standards, will apply to all providers, including health boards in Scotland and Wales. The Department of Culture, Media and Sport, which is overseeing implementation of the NIS, told Healthcare Finance that NHS bodies would only be fined as a last resort.

Gary Colman (pictured), head of IT audit and assurance at the West Midlands Ambulance Service NHS Foundation Trust, says NHS organisations have increased their focus on cyber security since the attack. A dedicated unit at the ambulance trust provides information security and assurance services to NHS organisations and other public and private sector bodies.

He says if trusts are taking reasonable steps to improve their cyber security, the likelihood of facing a financial penalty is low. Support and a more proactive approach by NHS Digital – flagging up threats and suggesting fixes – is a step in the right direction, he adds.

‘The level of patching operations has improved. But IT isn’t something that just happens – you have to think about the security and governance aspect of it.’

In his February report on lessons learned from Wannacry, Mr Smart, the health and care CIO in England, outlines a number of actions to improve cyber security. These include considering data security as part of segmentation under the single oversight framework and as part of decision-making on special measures under the standard NHS Improvement framework. NHS Improvement could introduce these measures this summer.

He adds that, by 31 March 2019, all health and social care organisations that provide NHS care through the NHS Standard Contract must provide NHS Digital with details of their position against the Data Security Protection Toolkit. This will help audit compliance against the 10 security standards and the Care Quality Commission well-led assessment.

Position statements are expected to include an action plan setting out how organisations will address any shortfalls in their compliance and plans for the General Data Protection Regulation (GDPR) to be implemented in May. This European legislation aims to protect personal information, with hefty fines for non-compliance.

The CQC is making unannounced inspections solely on cyber issues and NHS Improvement will take regulatory action as required. As a minimum, by the end of June all NHS organisations should develop action plans to comply with the government-backed Cyber Essentials Plus standard, which includes security controls, by June 2021.

NHS Digital has completed 200 on-site assessments of trusts and all have failed. ‘There are reasons for that – it’s not a case of the trusts have done nothing around cyber security,’ deputy chief executive Rob Shaw told a recent Commons Public Accounts Committee hearing. ‘The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard is quite a high bar. I always think it’s better to have information about your vulnerabilities so you can do something about them rather than hope you’ll be okay when you do get an attack.’

Mr Colman says attacks borne by malicious links in emails remain a threat. ‘Staff awareness is still low. You could spend thousands on security, but if one user clicks on the wrong attachment you could be in difficulty.’ Progress has been made. NHS Digital says there were two similar attacks in the weeks following Wannacry, but no health organisation was affected due to the mitigating action that had taken place.

Even so, Mr Shaw told the committee: ‘We will never mitigate against all cyber attacks. We’ve got to be honest about that. I cannot understate the complexity of some NHS estates and the complexity of patching different parts of it, because you can patch one part of it that can have an impact on something else.’

Weighing up the risks

A patch could mean a key element of a clinical system stops working as effectively. The question then is over the risk of not patching, including potential remedial action, versus the need for the clinical system. ‘We have to accept some things will get through that will cause cyber attacks on the NHS and social care. How we respond to those becomes crucial,’ he said.

Peter Sheppard, head of cyber assurance at business assurance services provider TIAA, agrees that clinical applications in medical devices pose a problem for trusts, particularly when they are internet enabled. Generally, there is no requirement for the vendors to update software to prevent cyber attacks.

Mr Sheppard says the standard procurement terms and conditions must be changed to include updates and patches. ‘We aren’t seeing a huge amount of assurance, but we’re not talking about science fiction here. You can envisage the scenario where a medical device connected to the internet is used to leverage another attack or cause someone harm. NHS organisations are starting to wake up to that.

‘The chief executive of the National Cyber Security Centre has warned we are facing a category one event – Wannacry was a category two. A category one will affect or put at risk patient safety.’

It has recently been revealed that there is a vulnerability in the chips used in many computers, and that would-be hackers with little technical knowledge can buy off-the-shelf software to attack organisations or individuals.

In the past experts said it was a case of when, not if, the NHS would suffer a widespread attack. It’s still the case, but keeping up with cyber threats is like a game of whack-a-mole – knock down one and another pops up.