06.06.18
WannaCry: Has enough progress been made in the NHS?
Source: NHE May/June 18
Last year's major cyber-attack highlighted the importance of being prepared for digital threats. But what progress has really been made since then, and what else needs to change to ensure the NHS isn't vulnerable? Adam Wright, policy officer for finances at NHS Providers, investigates.
It is widely perceived that the NHS has had a troubled history with digital transformation and information technology. That’s why, last year, many incorrectly jumped to the conclusion that a cyber-attack had been launched against the health service and subsequently labelled it “the NHS cyber-attack.” In fact, the WannaCry ransomware attack affected various companies ranging from Telefonica to Deutsche Bahn; the NHS was simply one of many victims.
But while the NHS was not the only organisation to suffer from the attack, its experience was unique. Delivering healthcare services, at scale, with the regulatory and funding constraints of the public sector, meant that the NHS needed a distinct response to the WannaCry incident. Fortunately, and in part thanks to the dedication of NHS staff, the attack had a limited impact on services and acted as a dress rehearsal for potential larger attacks. A year on, we need to review how much progress the NHS has made.
What has already happened?
Across the system, we now have a better understanding of the issues and challenges associated with cyber security. Since last year’s attack, we have had three national reviews, from the Public Accounts Committee (PAC), the National Audit Office and NHS England, as well as the government’s response to the Caldicott Review. The incident certainly acted as a catalyst for raising awareness of the issue of cyber security.
The national leadership of the NHS has prioritised the delivery of various infrastructure programmes. Chief among these initiatives is the recent Microsoft deal to bring in Windows 10. This operating system is more robust than its predecessors and should allow trusts to more easily detect viruses, phishing and malware.
Alongside this, NHS Digital has gone to market for a new NHS cyber security centre that will coordinate and take responsibility for NHS-wide cyber defences.
In terms of funding, £21m has been allocated to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts, while a further £25m of capital funding was set aside in 2017-18 to support trusts that were non-compliant against high-severity CareCERT alerts. Whilst these initiatives alone are not enough for trusts to adequately protect themselves from future threats, they are welcome, particularly given previous national sclerosis.
At local and regional levels, progress is being made to work more closely together on cyber security. There are good examples of sustainability and transformation partnerships developing joint incident response plans, as well as coordinating investment and procurement.
In addition to this, NHS Digital has implemented CareCERT Collect, which requires all NHS bodies to report within 48 hours on action they have taken on high-severity CareCERT alerts. Closer working and collaboration is a positive step towards better management of cyber security.
What still needs to happen?
One of the key themes that came out from the national reviews was around leadership at both the national and local levels, and in particular at board level. Local and national leaders need to stand up and take cyber security seriously, rather than simply seeing it as a cost pressure. NHS England’s head of architecture, Inderjit Singh, went as far as suggesting that cyber security is a board issue, not a technology issue. There is variation in the quality of cyber security leadership across the country, and in some cases it has almost been non-existent. NHS England’s recommendation that boards should appoint a lead on data security is the right one.
But an even more important development has been the establishment of the NHS Digital Academy, which will produce and train 300 digital leaders across the NHS over the next three years. This is an important step towards cyber security, and digital health more generally, becoming more prominent during board discussion. Developing the NHS’s digital leaders is a continuing process.
While there has been a lot of work diagnosing the issues, we still need to follow through on the multitude of recommendations that have been produced. Only last month, the PAC stated its concern at the lack of agreement on how to implement lessons learned. The £20m NHS cyber security centre, which had formed a key part of the national response, has been delayed and looks far from being launched.
But recommendations also need to be followed through at local level. For example, there needs to be more work undertaken by trusts with suppliers to ensure infrastructure is up to date. More broadly, the system needs to tackle the barriers which undermine its ability to act at pace; we know another attack is inevitable, so all need to operate at speed to build resilience.
Ultimately, however, a commitment to investment is needed to back up any progress that can be made. It was widely reported that one recommendation from NHS England’s initial review would cost £1bn alone. The £21m capital funding for major trauma centres and ambulance trusts was diverted from the Paperless 2020 agenda programme; it does not represent new money. We know trusts’ access to capital funding more generally has been suboptimal, and the WannaCry attack simply provided a very stark demonstration of how dangerous underinvestment is. In this context, genuinely new funding would be more effective for trusts who need to invest in order to take forward the lessons learned.
On the anniversary of the WannaCry attack, we can confidently point to the areas of cyber security where the NHS needs to improve. But the next attack is question of ‘when,’ not ‘if.’
Across the system, the NHS needs to support and develop leaders who will be able to take forward the multiple recommendations that have been produced. This won’t work without adequate funding, which trusts currently struggle to access. Progress has been made over the last 12 months, but we can’t afford to lose momentum.
Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!