Comment

06.06.18

WannaCry: Has enough progress been made in the NHS?

Source: NHE May/June 18

Last year's major cyber-attack highlighted the importance of being prepared for digital threats. But what progress has really been made since then, and what else needs to change to ensure the NHS isn't vulnerable? Adam Wright, policy officer for finances at NHS Providers, investigates.

It is widely perceived that the NHS has had a troubled history with digital transformation and information technology. That’s why, last year, many incorrectly jumped to the conclusion that a cyber-attack had been launched against the health service and subsequently labelled it “the NHS cyber-attack.” In fact, the WannaCry ransomware attack affected various companies ranging from Telefonica to Deutsche Bahn; the NHS was simply one of many victims.

But while the NHS was not the only organisation to suffer from the attack, its experience was unique. Delivering healthcare services, at scale, with the regulatory and funding constraints of the public sector, meant that the NHS needed a distinct response to the WannaCry incident. Fortunately, and in part thanks to the dedication of NHS staff, the attack had a limited impact on services and acted as a dress rehearsal for potential larger attacks. A year on, we need to review how much progress the NHS has made.

What has already happened?

Across the system, we now have a better understanding of the issues and challenges associated with cyber security. Since last year’s attack, we have had three national reviews, from the Public Accounts Committee (PAC), the National Audit Office and NHS England, as well as the government’s response to the Caldicott Review. The incident certainly acted as a catalyst for raising awareness of the issue of cyber security.

The national leadership of the NHS has prioritised the delivery of various infrastructure programmes. Chief among these initiatives is the recent Microsoft deal to bring in Windows 10. This operating system is more robust than its predecessors and should allow trusts to more easily detect viruses, phishing and malware.

Alongside this, NHS Digital has gone to market for a new NHS cyber security centre that will coordinate and take responsibility for NHS-wide cyber defences.

In terms of funding, £21m has been allocated to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts, while a further £25m of capital funding was set aside in 2017-18 to support trusts that were non-compliant against high-severity CareCERT alerts. Whilst these initiatives alone are not enough for trusts to adequately protect themselves from future threats, they are welcome, particularly given previous national sclerosis.

At local and regional levels, progress is being made to work more closely together on cyber security. There are good examples of sustainability and transformation partnerships developing joint incident response plans, as well as coordinating investment and procurement.

In addition to this, NHS Digital has implemented CareCERT Collect, which requires all NHS bodies to report within 48 hours on action they have taken on high-severity CareCERT alerts. Closer working and collaboration is a positive step towards better management of cyber security.

What still needs to happen?

One of the key themes that came out from the national reviews was around leadership at both the national and local levels, and in particular at board level. Local and national leaders need to stand up and take cyber security seriously, rather than simply seeing it as a cost pressure. NHS England’s head of architecture, Inderjit Singh, went as far as suggesting that cyber security is a board issue, not a technology issue. There is variation in the quality of cyber security leadership across the country, and in some cases it has almost been non-existent. NHS England’s recommendation that boards should appoint a lead on data security is the right one.

But an even more important development has been the establishment of the NHS Digital Academy, which will produce and train 300 digital leaders across the NHS over the next three years. This is an important step towards cyber security, and digital health more generally, becoming more prominent during board discussion. Developing the NHS’s digital leaders is a continuing process.

While there has been a lot of work diagnosing the issues, we still need to follow through on the multitude of recommendations that have been produced. Only last month, the PAC stated its concern at the lack of agreement on how to implement lessons learned. The £20m NHS cyber security centre, which had formed a key part of the national response, has been delayed and looks far from being launched.

But recommendations also need to be followed through at local level. For example, there needs to be more work undertaken by trusts with suppliers to ensure infrastructure is up to date. More broadly, the system needs to tackle the barriers which undermine its ability to act at pace; we know another attack is inevitable, so all need to operate at speed to build resilience.

Ultimately, however, a commitment to investment is needed to back up any progress that can be made. It was widely reported that one recommendation from NHS England’s initial review would cost £1bn alone. The £21m capital funding for major trauma centres and ambulance trusts was diverted from the Paperless 2020 agenda programme; it does not represent new money. We know trusts’ access to capital funding more generally has been suboptimal, and the WannaCry attack simply provided a very stark demonstration of how dangerous underinvestment is. In this context, genuinely new funding would be more effective for trusts who need to invest in order to take forward the lessons learned.

On the anniversary of the WannaCry attack, we can confidently point to the areas of cyber security where the NHS needs to improve. But the next attack is question of ‘when,’ not ‘if.’

Across the system, the NHS needs to support and develop leaders who will be able to take forward the multiple recommendations that have been produced. This won’t work without adequate funding, which trusts currently struggle to access. Progress has been made over the last 12 months, but we can’t afford to lose momentum.

 

Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

Highest ever numbers accept GP training posts

19/10/2018Highest ever numbers accept GP training posts

The number of people entering GP training is the highest in NHS history, according to new figures from Health Education England (HEE). A tot... more >
‘No realistic prospect of progress’ for integrated health and social care, PAC warns

19/10/2018‘No realistic prospect of progress’ for integrated health and social care, PAC warns

The government is still “a long way” from achieving an effective strategy for integrated health and social care and has been urged to... more >
One in six trusts could end PFI contracts due to poor performance as NHS heads for £1bn loss

19/10/2018One in six trusts could end PFI contracts due to poor performance as NHS heads for £1bn loss

A new report has revealed that 15% of all NHS trusts using private finance initiatives (PFI) could terminate contracts due to poor performance. ... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

On your bike!

17/10/2018On your bike!

Sathish Sethuraman, travel and transport plan co-ordinator at Northumbria Healthcare NHS FT, explains how efforts to promote cycling to work at the trust are resulting in more staff travelling on two wheels. At Northumbria Healthcare, we are committed to becoming a greener organisation and reducing the environmental impact of delivering patient care in hospitals and in the community across Northumberland and North Tyneside. From in... more >
read more blog posts from 'the scalpel' >

interviews

Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >
Tackling infection prevention locally

04/10/2017Tackling infection prevention locally

Dr Emma Burnett, a lecturer and researcher in infection prevention at the University of Dundee’s School of Nursing and Midwifery and a boar... more >
Scan4Safety: benefits across the whole supply chain

02/10/2017Scan4Safety: benefits across the whole supply chain

NHE interviews Gillian Fox, head of eProcurement (Scan4Safety) programme at NHS Supply Chain. How has the Scan4Safety initiative evolved sin... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Rules of engagement

01/10/2018Rules of engagement

Using technology to increase patient engagement... more >
Navigate your way to cyber resilience

01/10/2018Navigate your way to cyber resilience

As the NHS celebrates its 70th birthday, Alan... more >