Comment

14.02.19

ICO: Cyber security and the NHS

Source: NHE Jan/Feb 2019

Peter Brown, acting head of technology policy at the Information Commissioner's Office (ICO), explains the importance of good practice in data protection and cyber security for the NHS, almost two years on from the WannaCry cyber-attack.

If you asked the average person on the street what they thought the worst consequences of a cyber attack would be, they would most likely think about stolen bank accounts or credit card details, identity theft, or that they’d probably have to reset their passwords (again).

However, bad actors aren’t always looking for things like financial gain or stolen identities – they can be motivated in many ways. Some set out to cause annoyance or inconvenience, others to cause real harm. They can be so-called ‘script kiddies’ up to state-sponsored ‘hacking collectives’ and everything in between.

Public sector organisations, like those in the NHS, may not always handle the same volume of customer or financial information that commercial and private sector counterparts do. However, they may process personal data that’s of a highly-sensitive nature, such as health information, known as ‘special category data’ in data protection law. This data carries a higher level of risk, and they cannot be complacent when it comes to cyber security.

This was starkly demonstrated by the WannaCry incident of May 2017, in which thousands of patients became collateral damage. WannaCry was a global ransomware attack affecting an estimated 200,000 computers in 100 countries. Although not specifically targeted at the UK’s hospitals, surgeries, and clinics, it affected a third of NHS trusts and eight percent of GP practices.

We know the attack caused the cancellation of almost 7,000 appointments, with an estimated 19,000 follow-ups also being affected. It cost the NHS £20m in just one week, with a further £72m spent on subsequent clean-up and IT upgrades.

Investigators later concluded that WannaCry was likely to have been the work of state-sponsored North Korean cyber-attackers – so, in this case, profit is unlikely to have been the motivating factor. However, the consequences were severe and eminently avoidable.

It later emerged that affected NHS organisations were using unpatched or unsupported versions of Microsoft Windows and were not appropriately managing their firewalls to ensure that their networks and systems were protected.

WannaCry quickly became the largest ever cyber attack to affect the NHS in England. A report by the National Audit Office (NAO) concluded that whilst the exploits used by WannaCry were technically advanced, the attack itself was relatively unsophisticated and could have been avoided altogether if NHS bodies had followed basic IT security good practice.

It’s important to note that whilst these measures are fairly basic, their implementation can be difficult within large, complex IT infrastructures such as those in the NHS. Nevertheless, the NAO report revealed that the Department of Health and Social Care was warned about the risks of cyber attacks a year before WannaCry – and although work was underway to mitigate these risks, the department did not provide a written report on its progress until July 2017.

Poor communication procedures also meant that local NHS organisations didn’t know how to respond appropriately to what was happening or who would lead that response, and the NAO said this was another key factor in the handling of the attack.

The NHS has accepted that there are lessons to learn from WannaCry. Since then, NHS England and NHS Improvement have written to every NHS trust, clinical commissioning group, and commissions support unit to ensure that they have taken account of all cyber alerts and implemented appropriate measures to deal with them.

Although it can be difficult to stay on top of all IT security issues in large organisations, particularly those of the size, scale, and nature of the NHS, data protection law requires that they take appropriate steps to protect the personal data they hold.

Since WannaCry, we’ve seen the introduction of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). These modernise data protection laws for the digital age, and strengthen not just the rules around how organisations process personal data, but also the rights individuals have in respect of that data.

One if its key principles is that personal data should be processed securely by implementing appropriate technical and organisational measures – the so-called “security principle.” However, this isn’t new – we’ve had a security principle since the first data protection laws were passed almost forty years ago.

“Appropriate security” depends on a number of factors, including the nature of the personal data an organisation processes, the risk the processing poses to the individuals’ rights and freedoms, the resources an organisation has, and the available tools to help protect that data.

This doesn’t mean organisations have to have the latest and best of everything – it depends on the circumstances of the processing. The key is that organisations take proper steps to ensure that the personal data they process is secure. Organisations wanting to know more about the GDPR’s security principle should read the section about security in our ‘Guide to the GDPR.’

We’ve also worked closely with the National Cyber Security Centre, the UK’s technical authority on cyber threats, in developing a set of security outcomes organisations can use when trying to determine the measures that are appropriate for them. These include:

  • Managing security risk – having appropriate organisational structures, policies, and processes to manage security risks to personal data;
  • Protecting personal data against cyber-attack – having appropriate security measures that cover both the personal data that’s processed, as well as the systems that process it;
  • Detecting security events – monitoring the status of systems processing personal data, and ensuring that unexpected events can be acted on in an appropriate timeframe;
  • Minimising the impact – restoring systems and services, managing incidents appropriately, and learning lessons for the future.

There are many things organisations can do quite easily, like keeping IT up-to-date, ensuring staff are appropriately trained (e.g. to spot phishing emails), managing user access, and getting certified under the Cyber Essentials scheme.

However, security isn’t just a legal requirement – it supports good data governance and helps demonstrate compliance with data protection law. We’ve seen that poor security can cause real harm and distress to individuals, and the law says they are entitled to be protected.

Building a culture of security awareness goes a long way towards providing that protection, but it’s only the beginning. Developing a framework for strengthening information rights, working with your partners to implement it, training your workforce to use it, and talking to your patients about it, are all important steps in this journey.

 

Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

MS Society announces 13 new tech projects worth £1.3m

06/12/2019MS Society announces 13 new tech projects worth £1.3m

Multiple Sclerosis Society (MS Society) announced this week (Dec 3) that they are committed to raising £1.3m to fund 13 new research projec... more >
Nuffield Trust: One in four hospital staff born outside of the UK

06/12/2019Nuffield Trust: One in four hospital staff born outside of the UK

New statistics analysed by Nuffield Health show that people born outside the UK make up for almost a quarter of all staff working in hospitals an... more >
Moulding The Future With 3D Printing

06/12/2019Moulding The Future With 3D Printing

Source : NHE Nov/Dec   Professor Peter Marsden, head of Medical Physics & Biomedical Engineering, UCLH 3D printing i... more >

681 149x260 NHE Subscribe button

the scalpel's daily blog

Caregivers are looking for meaningful work

03/12/2019Caregivers are looking for meaningful work

Ergotron EMEA discusses how they can support organisations to make caregivers’ work meaningful and promote better wellbeing. Caregivers always focus on sharing their dedication to their patients. However, this choice is unfortunately not always up to expectations: the lack of staff, the demanding workload, the system’s digitalization lead to less time spent at the patients’ bedsides. In addition, these constraints... more >
read more blog posts from 'the scalpel' >

interviews

Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

24/10/2019Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

Today, speaking at the Royal College of General Practitioners (RCGP) annual conference, Matt Hancock highlighted what he believes to be the three... more >
NHS dreams come true for Teesside domestic

17/09/2019NHS dreams come true for Teesside domestic

Over 20 years ago, a Teesside hospital cleaner put down her mop and took steps towards her midwifery dreams. Lisa Payne has been delivering ... more >
How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >

last word

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad, president of the Association of the British Pharmaceutical Industry (ABPI), sits down with National Health Executive as part of our Last Word Q&A series. Would you talk us th... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Moulding The Future With 3D Printing

06/12/2019Moulding The Future With 3D Printing

Source : NHE Nov/Dec   Profess... more >
Six Ways Technology Is Benefiting The Older Generation

05/12/2019Six Ways Technology Is Benefiting The Older Generation

Source: NHE Nov/Dec   Accordin... more >