ICO: Cyber security and the NHS

Source: NHE Jan/Feb 2019

Peter Brown, acting head of technology policy at the Information Commissioner's Office (ICO), explains the importance of good practice in data protection and cyber security for the NHS, almost two years on from the WannaCry cyber-attack.

If you asked the average person on the street what they thought the worst consequences of a cyber attack would be, they would most likely think about stolen bank accounts or credit card details, identity theft, or that they’d probably have to reset their passwords (again).

However, bad actors aren’t always looking for things like financial gain or stolen identities – they can be motivated in many ways. Some set out to cause annoyance or inconvenience, others to cause real harm. They can be so-called ‘script kiddies’ up to state-sponsored ‘hacking collectives’ and everything in between.

Public sector organisations, like those in the NHS, may not always handle the same volume of customer or financial information that commercial and private sector counterparts do. However, they may process personal data that’s of a highly-sensitive nature, such as health information, known as ‘special category data’ in data protection law. This data carries a higher level of risk, and they cannot be complacent when it comes to cyber security.

This was starkly demonstrated by the WannaCry incident of May 2017, in which thousands of patients became collateral damage. WannaCry was a global ransomware attack affecting an estimated 200,000 computers in 100 countries. Although not specifically targeted at the UK’s hospitals, surgeries, and clinics, it affected a third of NHS trusts and eight percent of GP practices.

We know the attack caused the cancellation of almost 7,000 appointments, with an estimated 19,000 follow-ups also being affected. It cost the NHS £20m in just one week, with a further £72m spent on subsequent clean-up and IT upgrades.

Investigators later concluded that WannaCry was likely to have been the work of state-sponsored North Korean cyber-attackers – so, in this case, profit is unlikely to have been the motivating factor. However, the consequences were severe and eminently avoidable.

It later emerged that affected NHS organisations were using unpatched or unsupported versions of Microsoft Windows and were not appropriately managing their firewalls to ensure that their networks and systems were protected.

WannaCry quickly became the largest ever cyber attack to affect the NHS in England. A report by the National Audit Office (NAO) concluded that whilst the exploits used by WannaCry were technically advanced, the attack itself was relatively unsophisticated and could have been avoided altogether if NHS bodies had followed basic IT security good practice.

It’s important to note that whilst these measures are fairly basic, their implementation can be difficult within large, complex IT infrastructures such as those in the NHS. Nevertheless, the NAO report revealed that the Department of Health and Social Care was warned about the risks of cyber attacks a year before WannaCry – and although work was underway to mitigate these risks, the department did not provide a written report on its progress until July 2017.

Poor communication procedures also meant that local NHS organisations didn’t know how to respond appropriately to what was happening or who would lead that response, and the NAO said this was another key factor in the handling of the attack.

The NHS has accepted that there are lessons to learn from WannaCry. Since then, NHS England and NHS Improvement have written to every NHS trust, clinical commissioning group, and commissions support unit to ensure that they have taken account of all cyber alerts and implemented appropriate measures to deal with them.

Although it can be difficult to stay on top of all IT security issues in large organisations, particularly those of the size, scale, and nature of the NHS, data protection law requires that they take appropriate steps to protect the personal data they hold.

Since WannaCry, we’ve seen the introduction of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). These modernise data protection laws for the digital age, and strengthen not just the rules around how organisations process personal data, but also the rights individuals have in respect of that data.

One if its key principles is that personal data should be processed securely by implementing appropriate technical and organisational measures – the so-called “security principle.” However, this isn’t new – we’ve had a security principle since the first data protection laws were passed almost forty years ago.

“Appropriate security” depends on a number of factors, including the nature of the personal data an organisation processes, the risk the processing poses to the individuals’ rights and freedoms, the resources an organisation has, and the available tools to help protect that data.

This doesn’t mean organisations have to have the latest and best of everything – it depends on the circumstances of the processing. The key is that organisations take proper steps to ensure that the personal data they process is secure. Organisations wanting to know more about the GDPR’s security principle should read the section about security in our ‘Guide to the GDPR.’

We’ve also worked closely with the National Cyber Security Centre, the UK’s technical authority on cyber threats, in developing a set of security outcomes organisations can use when trying to determine the measures that are appropriate for them. These include:

  • Managing security risk – having appropriate organisational structures, policies, and processes to manage security risks to personal data;
  • Protecting personal data against cyber-attack – having appropriate security measures that cover both the personal data that’s processed, as well as the systems that process it;
  • Detecting security events – monitoring the status of systems processing personal data, and ensuring that unexpected events can be acted on in an appropriate timeframe;
  • Minimising the impact – restoring systems and services, managing incidents appropriately, and learning lessons for the future.

There are many things organisations can do quite easily, like keeping IT up-to-date, ensuring staff are appropriately trained (e.g. to spot phishing emails), managing user access, and getting certified under the Cyber Essentials scheme.

However, security isn’t just a legal requirement – it supports good data governance and helps demonstrate compliance with data protection law. We’ve seen that poor security can cause real harm and distress to individuals, and the law says they are entitled to be protected.

Building a culture of security awareness goes a long way towards providing that protection, but it’s only the beginning. Developing a framework for strengthening information rights, working with your partners to implement it, training your workforce to use it, and talking to your patients about it, are all important steps in this journey.


Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!


There are no comments. Why not be the first?

Add your comment


national health executive tv

more videos >

latest healthcare news

Government invests £3.3m in children and young people’s mental health

20/08/2019Government invests £3.3m in children and young people’s mental health

Local investment totalling £3.3m is set to be spent to expand 23 local projects aimed at helping prevent mental illness in children and you... more >
RCGP welcomes Government childhood vaccination strategy

19/08/2019RCGP welcomes Government childhood vaccination strategy

Following the launch of the Government’s childhood vaccination strategy, aimed at tackling falling rates of vaccination among children and ... more >
UH Bristol NHS Foundation Trust retains ‘Outstanding’ rating from CQC

16/08/2019UH Bristol NHS Foundation Trust retains ‘Outstanding’ rating from CQC

University Hospitals Bristol NHS Foundation Trust has once again been rated as ‘Outstanding’ by inspectors from the Care Quality Comm... more >

681 149x260 NHE Subscribe button

the scalpel's daily blog

Urology nurses are leading the way in adoption of prostate cancer biopsy technique

11/07/2019Urology nurses are leading the way in adoption of prostate cancer biopsy technique

Jonah Rusere, Advanced Nurse Practitioner for South East London Accountable Cancer Network, outlines an opportunity for urology nurses to make a difference to prostate cancer pathways. What is TRexit and why is it great news for prostate cancer patients all over the country? Let me explain. TRexit is the name given to a national initiative for hospitals to phase out TRUS biopsies and replace them with transperineal biopsies un... more >
read more blog posts from 'the scalpel' >


How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >
Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Rebuilding trust after Bawa-Garba

21/08/2019Rebuilding trust after Bawa-Garba

In the wake of a review into gross negligence... more >
Reducing parental conflict: a digital discovery

19/08/2019Reducing parental conflict: a digital discovery

Parental conflict can be potentially damaging... more >