ICO: Cyber security and the NHS

Source: NHE Jan/Feb 2019

Peter Brown, acting head of technology policy at the Information Commissioner's Office (ICO), explains the importance of good practice in data protection and cyber security for the NHS, almost two years on from the WannaCry cyber-attack.

If you asked the average person on the street what they thought the worst consequences of a cyber attack would be, they would most likely think about stolen bank accounts or credit card details, identity theft, or that they’d probably have to reset their passwords (again).

However, bad actors aren’t always looking for things like financial gain or stolen identities – they can be motivated in many ways. Some set out to cause annoyance or inconvenience, others to cause real harm. They can be so-called ‘script kiddies’ up to state-sponsored ‘hacking collectives’ and everything in between.

Public sector organisations, like those in the NHS, may not always handle the same volume of customer or financial information that commercial and private sector counterparts do. However, they may process personal data that’s of a highly-sensitive nature, such as health information, known as ‘special category data’ in data protection law. This data carries a higher level of risk, and they cannot be complacent when it comes to cyber security.

This was starkly demonstrated by the WannaCry incident of May 2017, in which thousands of patients became collateral damage. WannaCry was a global ransomware attack affecting an estimated 200,000 computers in 100 countries. Although not specifically targeted at the UK’s hospitals, surgeries, and clinics, it affected a third of NHS trusts and eight percent of GP practices.

We know the attack caused the cancellation of almost 7,000 appointments, with an estimated 19,000 follow-ups also being affected. It cost the NHS £20m in just one week, with a further £72m spent on subsequent clean-up and IT upgrades.

Investigators later concluded that WannaCry was likely to have been the work of state-sponsored North Korean cyber-attackers – so, in this case, profit is unlikely to have been the motivating factor. However, the consequences were severe and eminently avoidable.

It later emerged that affected NHS organisations were using unpatched or unsupported versions of Microsoft Windows and were not appropriately managing their firewalls to ensure that their networks and systems were protected.

WannaCry quickly became the largest ever cyber attack to affect the NHS in England. A report by the National Audit Office (NAO) concluded that whilst the exploits used by WannaCry were technically advanced, the attack itself was relatively unsophisticated and could have been avoided altogether if NHS bodies had followed basic IT security good practice.

It’s important to note that whilst these measures are fairly basic, their implementation can be difficult within large, complex IT infrastructures such as those in the NHS. Nevertheless, the NAO report revealed that the Department of Health and Social Care was warned about the risks of cyber attacks a year before WannaCry – and although work was underway to mitigate these risks, the department did not provide a written report on its progress until July 2017.

Poor communication procedures also meant that local NHS organisations didn’t know how to respond appropriately to what was happening or who would lead that response, and the NAO said this was another key factor in the handling of the attack.

The NHS has accepted that there are lessons to learn from WannaCry. Since then, NHS England and NHS Improvement have written to every NHS trust, clinical commissioning group, and commissions support unit to ensure that they have taken account of all cyber alerts and implemented appropriate measures to deal with them.

Although it can be difficult to stay on top of all IT security issues in large organisations, particularly those of the size, scale, and nature of the NHS, data protection law requires that they take appropriate steps to protect the personal data they hold.

Since WannaCry, we’ve seen the introduction of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). These modernise data protection laws for the digital age, and strengthen not just the rules around how organisations process personal data, but also the rights individuals have in respect of that data.

One if its key principles is that personal data should be processed securely by implementing appropriate technical and organisational measures – the so-called “security principle.” However, this isn’t new – we’ve had a security principle since the first data protection laws were passed almost forty years ago.

“Appropriate security” depends on a number of factors, including the nature of the personal data an organisation processes, the risk the processing poses to the individuals’ rights and freedoms, the resources an organisation has, and the available tools to help protect that data.

This doesn’t mean organisations have to have the latest and best of everything – it depends on the circumstances of the processing. The key is that organisations take proper steps to ensure that the personal data they process is secure. Organisations wanting to know more about the GDPR’s security principle should read the section about security in our ‘Guide to the GDPR.’

We’ve also worked closely with the National Cyber Security Centre, the UK’s technical authority on cyber threats, in developing a set of security outcomes organisations can use when trying to determine the measures that are appropriate for them. These include:

  • Managing security risk – having appropriate organisational structures, policies, and processes to manage security risks to personal data;
  • Protecting personal data against cyber-attack – having appropriate security measures that cover both the personal data that’s processed, as well as the systems that process it;
  • Detecting security events – monitoring the status of systems processing personal data, and ensuring that unexpected events can be acted on in an appropriate timeframe;
  • Minimising the impact – restoring systems and services, managing incidents appropriately, and learning lessons for the future.

There are many things organisations can do quite easily, like keeping IT up-to-date, ensuring staff are appropriately trained (e.g. to spot phishing emails), managing user access, and getting certified under the Cyber Essentials scheme.

However, security isn’t just a legal requirement – it supports good data governance and helps demonstrate compliance with data protection law. We’ve seen that poor security can cause real harm and distress to individuals, and the law says they are entitled to be protected.

Building a culture of security awareness goes a long way towards providing that protection, but it’s only the beginning. Developing a framework for strengthening information rights, working with your partners to implement it, training your workforce to use it, and talking to your patients about it, are all important steps in this journey.


Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!


There are no comments. Why not be the first?

Add your comment

national health executive tv

more videos >

latest healthcare news

NHS England commits £30m to join up HR and staff rostering systems

09/09/2020NHS England commits £30m to join up HR and staff rostering systems

As NHS England looks to support new ways of working, it has launched a £30m contract tender for HR and staff rostering systems, seeking sup... more >
Gender equality in NHS leadership requires further progress

09/09/2020Gender equality in NHS leadership requires further progress

New research carried out by the University of Exeter, on behalf of NHS Confederation, has shown that more progress is still needed to achieve gen... more >
NHS Trust set for big savings in shift to digital patient letters

09/09/2020NHS Trust set for big savings in shift to digital patient letters

Up and down the country, NHS trusts are finding new and innovative ways to leverage the power of digital technologies. In Bradford, paper appoint... more >

the scalpel's daily blog

Covid-19 can signal a new deal with the public on health

28/08/2020Covid-19 can signal a new deal with the public on health

Danny Mortimer, Chief Executive, NHS Employers & Deputy Chief Executive, NHS Confederation The common enemy of coronavirus united the public side by side with the NHS in a way that many had not seen in their lifetimes and for others evoked war-time memories. It was an image of defiance personified by the unforgettable NHS fundraising efforts of Captain Sir Tom Moore, resonating in the supportive applause during the we... more >
read more blog posts from 'the scalpel' >


Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

24/10/2019Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

Today, speaking at the Royal College of General Practitioners (RCGP) annual conference, Matt Hancock highlighted what he believes to be the three... more >
NHS dreams come true for Teesside domestic

17/09/2019NHS dreams come true for Teesside domestic

Over 20 years ago, a Teesside hospital cleaner put down her mop and took steps towards her midwifery dreams. Lisa Payne has been delivering ... more >
How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >

last word

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad, president of the Association of the British Pharmaceutical Industry (ABPI), sits down with National Health Executive as part of our Last Word Q&A series. Would you talk us th... more > more last word articles >

editor's comment

26/06/2020Adapting and Innovating

Matt Roberts, National Health Executive Editorial Lead. NHE May/June 2020 Edition We’ve been through so much as a health sector and a society in recent months with coronavirus and nothing can take away from the loss and difficulties that we’ve faced but it vital we also don’t disregard the amazing efforts we’v... read more >

health service focus

‘We are the NHS’: NHS England publish newest People Plan

30/07/2020‘We are the NHS’: NHS England publish newest People Plan

NHS England has published its People Plan for... more >
How NHS Property Services adapted to a new way of working

01/07/2020How NHS Property Services adapted to a new way of working

From May/June 2020 edition Trish Stephen... more >