Comment

06.06.18

WannaCry: Has enough progress been made in the NHS?

Source: NHE May/June 18

Last year's major cyber-attack highlighted the importance of being prepared for digital threats. But what progress has really been made since then, and what else needs to change to ensure the NHS isn't vulnerable? Adam Wright, policy officer for finances at NHS Providers, investigates.

It is widely perceived that the NHS has had a troubled history with digital transformation and information technology. That’s why, last year, many incorrectly jumped to the conclusion that a cyber-attack had been launched against the health service and subsequently labelled it “the NHS cyber-attack.” In fact, the WannaCry ransomware attack affected various companies ranging from Telefonica to Deutsche Bahn; the NHS was simply one of many victims.

But while the NHS was not the only organisation to suffer from the attack, its experience was unique. Delivering healthcare services, at scale, with the regulatory and funding constraints of the public sector, meant that the NHS needed a distinct response to the WannaCry incident. Fortunately, and in part thanks to the dedication of NHS staff, the attack had a limited impact on services and acted as a dress rehearsal for potential larger attacks. A year on, we need to review how much progress the NHS has made.

What has already happened?

Across the system, we now have a better understanding of the issues and challenges associated with cyber security. Since last year’s attack, we have had three national reviews, from the Public Accounts Committee (PAC), the National Audit Office and NHS England, as well as the government’s response to the Caldicott Review. The incident certainly acted as a catalyst for raising awareness of the issue of cyber security.

The national leadership of the NHS has prioritised the delivery of various infrastructure programmes. Chief among these initiatives is the recent Microsoft deal to bring in Windows 10. This operating system is more robust than its predecessors and should allow trusts to more easily detect viruses, phishing and malware.

Alongside this, NHS Digital has gone to market for a new NHS cyber security centre that will coordinate and take responsibility for NHS-wide cyber defences.

In terms of funding, £21m has been allocated to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts, while a further £25m of capital funding was set aside in 2017-18 to support trusts that were non-compliant against high-severity CareCERT alerts. Whilst these initiatives alone are not enough for trusts to adequately protect themselves from future threats, they are welcome, particularly given previous national sclerosis.

At local and regional levels, progress is being made to work more closely together on cyber security. There are good examples of sustainability and transformation partnerships developing joint incident response plans, as well as coordinating investment and procurement.

In addition to this, NHS Digital has implemented CareCERT Collect, which requires all NHS bodies to report within 48 hours on action they have taken on high-severity CareCERT alerts. Closer working and collaboration is a positive step towards better management of cyber security.

What still needs to happen?

One of the key themes that came out from the national reviews was around leadership at both the national and local levels, and in particular at board level. Local and national leaders need to stand up and take cyber security seriously, rather than simply seeing it as a cost pressure. NHS England’s head of architecture, Inderjit Singh, went as far as suggesting that cyber security is a board issue, not a technology issue. There is variation in the quality of cyber security leadership across the country, and in some cases it has almost been non-existent. NHS England’s recommendation that boards should appoint a lead on data security is the right one.

But an even more important development has been the establishment of the NHS Digital Academy, which will produce and train 300 digital leaders across the NHS over the next three years. This is an important step towards cyber security, and digital health more generally, becoming more prominent during board discussion. Developing the NHS’s digital leaders is a continuing process.

While there has been a lot of work diagnosing the issues, we still need to follow through on the multitude of recommendations that have been produced. Only last month, the PAC stated its concern at the lack of agreement on how to implement lessons learned. The £20m NHS cyber security centre, which had formed a key part of the national response, has been delayed and looks far from being launched.

But recommendations also need to be followed through at local level. For example, there needs to be more work undertaken by trusts with suppliers to ensure infrastructure is up to date. More broadly, the system needs to tackle the barriers which undermine its ability to act at pace; we know another attack is inevitable, so all need to operate at speed to build resilience.

Ultimately, however, a commitment to investment is needed to back up any progress that can be made. It was widely reported that one recommendation from NHS England’s initial review would cost £1bn alone. The £21m capital funding for major trauma centres and ambulance trusts was diverted from the Paperless 2020 agenda programme; it does not represent new money. We know trusts’ access to capital funding more generally has been suboptimal, and the WannaCry attack simply provided a very stark demonstration of how dangerous underinvestment is. In this context, genuinely new funding would be more effective for trusts who need to invest in order to take forward the lessons learned.

On the anniversary of the WannaCry attack, we can confidently point to the areas of cyber security where the NHS needs to improve. But the next attack is question of ‘when,’ not ‘if.’

Across the system, the NHS needs to support and develop leaders who will be able to take forward the multiple recommendations that have been produced. This won’t work without adequate funding, which trusts currently struggle to access. Progress has been made over the last 12 months, but we can’t afford to lose momentum.

 

Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

PCN Network: Important people access primary care in way which suits them

10/07/2020PCN Network: Important people access primary care in way which suits them

Following the release of the findings from the latest GP Patient Survey, NHS Confederation’s PCN Network have stressed the importance of en... more >
NHS Test and Trace data shows 97.5% of tests returned the next day

10/07/2020NHS Test and Trace data shows 97.5% of tests returned the next day

As NHS Test and Trace have published the statistics for the fifth week of the service operating, demonstrating that 97.5% of in-person coron... more >
NHS SBS framework launched to help safe return of employees

09/07/2020NHS SBS framework launched to help safe return of employees

A new procurement framework has been launched by NHS Shared Business Services (NHS SBS) to help facilitate the safe return of NHS and other publi... more >

the scalpel's daily blog

NHS at 72: Managing mental health services going forward

03/07/2020NHS at 72: Managing mental health services going forward

Sean Duggan, Chief Executive of the Mental Health Network Let’s take this opportunity to reflect on the amazing achievements of our health system over the past few months. But as we recognise the best of the NHS and its response to the Covid-19 crisis we must not forget that for mental health the peak has yet to come. Covid-19 has placed enormous pressure on the entire health and care system. Despite the very real hardships f... more >
read more blog posts from 'the scalpel' >

interviews

Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

24/10/2019Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

Today, speaking at the Royal College of General Practitioners (RCGP) annual conference, Matt Hancock highlighted what he believes to be the three... more >
NHS dreams come true for Teesside domestic

17/09/2019NHS dreams come true for Teesside domestic

Over 20 years ago, a Teesside hospital cleaner put down her mop and took steps towards her midwifery dreams. Lisa Payne has been delivering ... more >
How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >

last word

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad, president of the Association of the British Pharmaceutical Industry (ABPI), sits down with National Health Executive as part of our Last Word Q&A series. Would you talk us th... more > more last word articles >

editor's comment

26/06/2020Adapting and Innovating

Matt Roberts, National Health Executive Editorial Lead. NHE May/June 2020 Edition We’ve been through so much as a health sector and a society in recent months with coronavirus and nothing can take away from the loss and difficulties that we’ve faced but it vital we also don’t disregard the amazing efforts we’v... read more >

health service focus

How NHS Property Services adapted to a new way of working

01/07/2020How NHS Property Services adapted to a new way of working

From May/June 2020 edition Trish Stephen... more >
Cleaner, greener, safer media: Increased ROI, decreased carbon

12/06/2020Cleaner, greener, safer media: Increased ROI, decreased carbon

Evolution is crucial in any business and Nati... more >