Health Service Focus

21.01.16

Tackling cyber security collectively

Source: NHE Jan/Feb 16

Dan Taylor, programme head of cyber security at the Health and Social Care Information Centre, explains how a co-ordinated approach is being developed to tackle cyber security across the health and social care system.

Tackling the growing threat of cyber security across the health and social care sector will require more investment in frontline staff as well as new processes, NHE has been told. 

Back in September 2015, the Health and Social Care Information Centre (HSCIC) announced that from January this year a Care Computer Emergency Response Team (CareCERT) would go live.

The CareCERT service, commissioned by the Department of Health, aims to offer advice and guidance to organisations to help them respond effectively to cyber threats. It consists of three key services: a national cyber security incident management function; issuing national level threat advisories, for immediate broadcast to organisations across the health and social care sector; and publishing good practice guidance on cyber security for the health and social care system. 

NHE caught up with Dan Taylor, programme head of cyber security at HSCIC, to discuss the development of the project and what it aims to achieve in the coming year. 

Early developments 

We were told that HSCIC and project partner BT have spent the last few months focusing on developing HSCIC’s contact database, and on how it broadcasts its advice messages and guides. 

Taylor said: “At the end of October, we achieved a contact database, and we agreed a scope with organisations which we were going to contact in the initial phase. They were who you would expect: NHS trusts, GPs, partnerships, local authorities, social care and those types of organisations. 

“Within those organisations we then got named contacts who were the IT or security specialists. We now have 95% of contacts across these organisations, which means for the first time we have got a way to broadcast information to people at the heart of health and social care.” 

As part of a phased implementation process, the team has now started emailing their CareCERT cyber security bulletins and alerts direct to staff on a regular basis, informing organisations about cyber security vulnerabilities, mitigating risks, and reacting to cyber security threats and attacks. 

Taylor added that the project’s implementation is still a “learning process” and the CareCERT team, made up of a small number of HSCIC and BT analysts, is looking to “optimise and add value” after receiving feedback from its customers. 

Contacting customers 

Commissioning support units (CSUs) are generally responsible for IT security for many GP surgeries, which are often too small-scale to have the level of expertise required themselves. NHE asked Taylor how HSCIC’s emailing campaign had been received by these various organisations, and whether that trend looks set to change. 

He said: “We are actually doing some work at the moment with GPs, CSUs and CCGs. We are broadcasting to all CCGs, CSUs and GPs together. Part of the engagement work I talked about earlier is what the preferences are for GPs, and who takes responsibility. At the moment I think it is fair to say that many GPs are contacting CCGs and CSUs to ask for guidance. 

“But because we are broadcasting to CCGs and GPs, everyone is at the same level of understanding. The CCGs know that the GPs are going to come to them, the GPs have an idea of what their threat profile might be, but the one thing we are working through now is what is the most efficient [communication] route. Is it to work directly with the CCGs, who then contact the GPs? Or should it be sent to everyone? 

“I think we’ll have a handle on that by the end of the financial year.” 

But North of England Commissioning Support (NECS) recently told GP surgeries that it had requested (with the agreement of CCGs) that the HSCIC stops emailing the CareCERT alerts direct to GP practices, because it is “managing these proactively on your [GPs’] behalf”. 

NECS said its own IT security team receive the communications from HSCIC and they are “proactively assessed as soon as they are received”. 

“If there is any appropriate action that needs to be taken as a result of these communications, please be assured that NECS will communicate these out as soon as possible to all affected customers,” said the organisation. “Just as an example, two out of the last three CareCERT alerts were for vulnerabilities in third party products that we do not even have on any devices across our entire IT estate (McAfee Security Manager & Juniper ScreenOS) – so no action was required.” 

Value of aggregation 

But Taylor told us that one of the key benefits of CareCERT is that there is value in the “aggregation of information”. 

“One of the key things that CareCERT has delivered for us is the idea that if we see something in one area – a threat profile or something that has been developed within a trust – we take that learning and can broadcast that out,” he said. 

“If you can tackle problems, such as malware threats, before they happen it means we can learn as we go and benefit from a greater level of protection.” 

e-learning investment 

HSCIC is procuring a national online training platform for dealing with cyber security, accessible for all health and social care practitioners. 

“We need to focus and invest in our people,” said Taylor. “There is often a focus on technology [to fight cyber threats] and it is actually the people processing technology.” 

He added that the 1.3 million people who make up the NHS workforce are the “first line of protection” against cyber threats. Taylor also hopes that by offering training to staff then there will be greater protection across the system. 

“That training platform is being procured now and will be brought online in a test-phase,” he said.

The e-learning will feature courses aimed at different people within an organisation. For instance, there will be modules for everyone looking to improve cyber security; more technical courses for IT professionals; and a board-level module, which looks at what the responsibilities are of responsible owners. Although HSCIC would not give exact dates for the roll out of the programme, Taylor said: “We fully intend to deliver the training platform in the financial year 2016-17.” 

Gold standard 

Over the next year, the HSCIC team will improve and optimise the services within CareCERT. “One of the big things for us next year is to ensure that CareCERT gets seen as the ‘brand of recognition’: that if you have something from CareCERT, such as an alert, it is seen as the gold standard, and is something to take note of. There are a lot of falsehoods in cyber security, so having that trusted brand is quite important.” 

HSCIC added that engagement with NHS and social care organisations has played a major part in the development of CareCERT, and will continue to do so. “It is very important to understand what they want,” said Taylor. “CareCERT allows NHS organisations to benefit from a level of security expertise that they might not have on the ground, and the advisories can give them the information they are not going to get any other way. 

“There isn’t going to be a security professional in every GP surgery, so hopefully they [the alerts and guides] should add real value very quickly.”

Tell us what you think – have your say below or email opinion@nationalhealthexecutive.com

 

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

First NHS trusts introduce NHS SBS’ The Edge4Health

16/01/2020First NHS trusts introduce NHS SBS’ The Edge4Health

A major new procurement platform developed by NHS Shared Business Services (NHS SBS), The Edge4Health, is being adopted by NHS trust staff across... more >
NHS mental health director demands urgent gambling action

16/01/2020NHS mental health director demands urgent gambling action

The director of NHS mental health, Claire Murdoch, has penned a written plea to the heads of top gambling firms, urging them to take action on im... more >
Transforming services: We need a left shift not a left drift

16/01/2020Transforming services: We need a left shift not a left drift

Dean Royles, strategic workforce advisor at Skills for Health and co-author of ‘An Introduction to Human Resource Management,’ discus... more >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

last word

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad, president of the Association of the British Pharmaceutical Industry (ABPI), sits down with National Health Executive as part of our Last Word Q&A series. Would you talk us th... more > more last word articles >

the scalpel's daily blog

Transforming services: We need a left shift not a left drift

16/01/2020Transforming services: We need a left shift not a left drift

Dean Royles, strategic workforce advisor at Skills for Health and co-author of ‘An Introduction to Human Resource Management,’ discusses the need to move the treatment of patients from primary to secondary care and how the NHS People Plan can help achieve this. Throughout my (overlong) career in the NHS, the national policy on modernising the way NHS services are delivered has been pretty consistent. All recent governments; ... more >
read more blog posts from 'the scalpel' >

comment

NHS England dementia director prescribes rugby for mental health and dementia patients

23/09/2019NHS England dementia director prescribes rugby for mental health and dementia patients

Reason to celebrate as NHS says watching rugby can be good for your mental health and wellbeing. As the best rugby players in the world repr... more >
Peter Kyle MP: It’s time to say thank you this Public Service Day

21/06/2019Peter Kyle MP: It’s time to say thank you this Public Service Day

Taking time to say thank you is one of the hidden pillars of a society. Being on the receiving end of some “thanks” can make communit... more >
Nurses named as least-appreciated public sector workers

13/06/2019Nurses named as least-appreciated public sector workers

Nurses have been named as the most under-appreciated public sector professionals as new research reveals how shockingly under-vauled our NHS, edu... more >
Helpforce to launch training programmes for NHS volunteers

10/06/2019Helpforce to launch training programmes for NHS volunteers

Kay Fawcett OBE, clinical advisor and education lead at Helpforce, and Lynn Twinn, talent development consultant, outline the new national traini... more >
Creating the Cardigan integrated care centre

10/06/2019Creating the Cardigan integrated care centre

Peter Skitt, county director and commissioner for Ceredigion Hywel Dda University Health Board, looks ahead to the new integrated care centre bei... more >

interviews

Mike Farrar, Swim England - Last Word

07/12/2019Mike Farrar, Swim England - Last Word

Mike Farrar Chairperson of Swim England Would you talk us through your previous roles within the NHS? I’ve held a number of ... more >
Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

24/10/2019Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

Today, speaking at the Royal College of General Practitioners (RCGP) annual conference, Matt Hancock highlighted what he believes to be the three... more >
NHS dreams come true for Teesside domestic

17/09/2019NHS dreams come true for Teesside domestic

Over 20 years ago, a Teesside hospital cleaner put down her mop and took steps towards her midwifery dreams. Lisa Payne has been delivering ... more >
How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >