21.01.16
Tackling cyber security collectively
Source: NHE Jan/Feb 16
Dan Taylor, programme head of cyber security at the Health and Social Care Information Centre, explains how a co-ordinated approach is being developed to tackle cyber security across the health and social care system.
Tackling the growing threat of cyber security across the health and social care sector will require more investment in frontline staff as well as new processes, NHE has been told.
Back in September 2015, the Health and Social Care Information Centre (HSCIC) announced that from January this year a Care Computer Emergency Response Team (CareCERT) would go live.
The CareCERT service, commissioned by the Department of Health, aims to offer advice and guidance to organisations to help them respond effectively to cyber threats. It consists of three key services: a national cyber security incident management function; issuing national level threat advisories, for immediate broadcast to organisations across the health and social care sector; and publishing good practice guidance on cyber security for the health and social care system.
NHE caught up with Dan Taylor, programme head of cyber security at HSCIC, to discuss the development of the project and what it aims to achieve in the coming year.
Early developments
We were told that HSCIC and project partner BT have spent the last few months focusing on developing HSCIC’s contact database, and on how it broadcasts its advice messages and guides.
Taylor said: “At the end of October, we achieved a contact database, and we agreed a scope with organisations which we were going to contact in the initial phase. They were who you would expect: NHS trusts, GPs, partnerships, local authorities, social care and those types of organisations.
“Within those organisations we then got named contacts who were the IT or security specialists. We now have 95% of contacts across these organisations, which means for the first time we have got a way to broadcast information to people at the heart of health and social care.”
As part of a phased implementation process, the team has now started emailing their CareCERT cyber security bulletins and alerts direct to staff on a regular basis, informing organisations about cyber security vulnerabilities, mitigating risks, and reacting to cyber security threats and attacks.
Taylor added that the project’s implementation is still a “learning process” and the CareCERT team, made up of a small number of HSCIC and BT analysts, is looking to “optimise and add value” after receiving feedback from its customers.
Contacting customers
Commissioning support units (CSUs) are generally responsible for IT security for many GP surgeries, which are often too small-scale to have the level of expertise required themselves. NHE asked Taylor how HSCIC’s emailing campaign had been received by these various organisations, and whether that trend looks set to change.
He said: “We are actually doing some work at the moment with GPs, CSUs and CCGs. We are broadcasting to all CCGs, CSUs and GPs together. Part of the engagement work I talked about earlier is what the preferences are for GPs, and who takes responsibility. At the moment I think it is fair to say that many GPs are contacting CCGs and CSUs to ask for guidance.
“But because we are broadcasting to CCGs and GPs, everyone is at the same level of understanding. The CCGs know that the GPs are going to come to them, the GPs have an idea of what their threat profile might be, but the one thing we are working through now is what is the most efficient [communication] route. Is it to work directly with the CCGs, who then contact the GPs? Or should it be sent to everyone?
“I think we’ll have a handle on that by the end of the financial year.”
But North of England Commissioning Support (NECS) recently told GP surgeries that it had requested (with the agreement of CCGs) that the HSCIC stops emailing the CareCERT alerts direct to GP practices, because it is “managing these proactively on your [GPs’] behalf”.
NECS said its own IT security team receive the communications from HSCIC and they are “proactively assessed as soon as they are received”.
“If there is any appropriate action that needs to be taken as a result of these communications, please be assured that NECS will communicate these out as soon as possible to all affected customers,” said the organisation. “Just as an example, two out of the last three CareCERT alerts were for vulnerabilities in third party products that we do not even have on any devices across our entire IT estate (McAfee Security Manager & Juniper ScreenOS) – so no action was required.”
Value of aggregation
But Taylor told us that one of the key benefits of CareCERT is that there is value in the “aggregation of information”.
“One of the key things that CareCERT has delivered for us is the idea that if we see something in one area – a threat profile or something that has been developed within a trust – we take that learning and can broadcast that out,” he said.
“If you can tackle problems, such as malware threats, before they happen it means we can learn as we go and benefit from a greater level of protection.”
e-learning investment
HSCIC is procuring a national online training platform for dealing with cyber security, accessible for all health and social care practitioners.
“We need to focus and invest in our people,” said Taylor. “There is often a focus on technology [to fight cyber threats] and it is actually the people processing technology.”
He added that the 1.3 million people who make up the NHS workforce are the “first line of protection” against cyber threats. Taylor also hopes that by offering training to staff then there will be greater protection across the system.
“That training platform is being procured now and will be brought online in a test-phase,” he said.
The e-learning will feature courses aimed at different people within an organisation. For instance, there will be modules for everyone looking to improve cyber security; more technical courses for IT professionals; and a board-level module, which looks at what the responsibilities are of responsible owners. Although HSCIC would not give exact dates for the roll out of the programme, Taylor said: “We fully intend to deliver the training platform in the financial year 2016-17.”
Gold standard
Over the next year, the HSCIC team will improve and optimise the services within CareCERT. “One of the big things for us next year is to ensure that CareCERT gets seen as the ‘brand of recognition’: that if you have something from CareCERT, such as an alert, it is seen as the gold standard, and is something to take note of. There are a lot of falsehoods in cyber security, so having that trusted brand is quite important.”
HSCIC added that engagement with NHS and social care organisations has played a major part in the development of CareCERT, and will continue to do so. “It is very important to understand what they want,” said Taylor. “CareCERT allows NHS organisations to benefit from a level of security expertise that they might not have on the ground, and the advisories can give them the information they are not going to get any other way.
“There isn’t going to be a security professional in every GP surgery, so hopefully they [the alerts and guides] should add real value very quickly.”
Tell us what you think – have your say below or email [email protected]