As health authorities rushed to respond to the Covid-19 pandemic and develop treatments and vaccines, they became lucrative targets for cyber attacks. The National Cyber Security Centre recorded more than 700 instances last year, a quarter related directly to Covid-19. Just a few years earlier, in 2017, the NHS had been brought to the brink by the WannaCry ransomware attack.
To discuss this issue, and how health services should respond to cyber threats, the New Statesman convened a virtual round table discussion, sponsored by Sophos. The chair was Jon Bernstein, former deputy editor of the New Statesman.
The chair opened the discussion by asking Graham Ingram – chief information security officer from the University of Oxford, which developed a Covid-19 vaccine with pharmaceutical firm AstraZeneca – what he thought could be learned from the security around vaccine trials.
“The University of Oxford – it’s not one thing,” said Ingram. He explained that it has many departments, colleges and centres, underpinned by the values of academic freedom and independence, which is a great source of strength but makes it challenging to develop a “unified approach to information security”. A university is a host to multiple networks with a diverse range of equipment and data. As such, there are many parallels between the challenges faced by universities and NHS trusts.
Jonathan Lee, from Sophos’s public sector business unit, said this reflected the company’s experience with NHS clients, who are managing a diverse range of cyber security challenges between trusts, and even within them.
“Data is the new gold,” he said, adding that not everyone recognises the value that it has for cyber criminals. Lee said the focus should be on improving resilience through the “four P’s: people, products, process and physical impact”. That means ensuring people, from the board to the staff, are trained and understand their role in cyber security, ensuring products are as good as they can be against industry standards, testing processes through wargaming, and understanding and mitigating the risks these attacks have on the physical world.
The experience of WannaCry changed things, said Owen Powell, ICT director at Central and North West London NHS Foundation Trust. It meant people and organisations had to focus on data as well as more tangible impacts. He added that it also started a conversation about the state of the basic “boxes and wires” IT infrastructure in the NHS and how vital it is to cyber security.
Another problem is the use of “shadow IT”, systems that are not part of the standard network which might be needed for specific purposes for teams to do their job. Phil James, chief information officer for Warrington and Halton Hospitals NHS Trust, said the trust had embraced shadow IT and was working with its departments to ensure they have the specialist systems necessary and then “enabling them to meet our standards”.
By contrast, Ricky Mackennon, interim chief information officer at South London and Maudsley NHS Trust, said the trust does not promote shadow IT at all, and that it engages with its business partners to ensure that. “They sit in digital services, but they also go out and meet with the business leads in relation to what systems and what servers are both available,” he explained.
Several participants warned about the gap in perception of the value of data and the risk from a breach. Ingram pointed out that medical records are more valuable than credit cards, while Greg Soffe, cyber security manager for Bradford District Care NHS Foundation Trust, said information about someone’s vulnerability can be used to manipulate them. With the increasing use of precision medicine and genomics, personal medical data will become even more valuable.
There are service risks as well as data risks. North Lincolnshire NHS Trust was out of action for four days, cancelling at least 35 operations because of a cyber attack in 2016, explained Ingram. Ian Hazel, director of ICT and infrastructure at Derbyshire Support and Facilities Services, a subsidiary of Chesterfield Royal Hospital, agreed, saying his concern is “if a cyber attack or anything of that nature was to come along and prevent us from delivering direct care”.
James raised robotic process automation (RPA), where volumes of patient data can be processed faster. This technology carries some risks to services, which could be breached or manipulated. Soffe pointed out that RPA does allow for more control and for a person to be part of the system, and that his greater concern is artificial intelligence (AI). In his opinion, AI can help with metadata but should be “well and truly away from raw patient data”. Nick O’Reilly, chief technology officer for the NHS Business Services Authority, said machine learning “forces people down majority patterns”, making it harder to deal with those genuine outlier cases.
The participants went on to talk about some practical improvements to systems and governance. Powell highlighted the Data Security Protection Toolkit, an online self-assessment tool, which he said was a “challenging compliance regime” that ensures information security does not just sit with the IT department and shows clearly who is responsible at a senior level. James added that the Senior Information Risk Owner (SIRO) system, where there is an executive director or member of the senior management board with responsibility for information risk policy, works well. He believes the challenge is ensuring that it reaches down to the ward level, where staff are focused on the job of treating patients and do not think of themselves as “targets” for cyber criminals.
All of these processes and policies were tested by the rapid changes needed in the response to Covid-19. James explained how he and his team had to mobilise new systems and products to support clinics, which revealed some of the legacy issues in data quality. However, much of the cyber security practice was “business as usual”. The more significant challenge related to new spaces and mitigating against the risk of information being overheard.
Ingram reflected that business output had become more agile, and that IT and security have to catch up. James added that if those needs are not met there is the risk that workarounds and unplanned shadow IT happen, creating risks. Cyber security needs to be embedded to ensure standards year-on-year, Powell added. “Cyber is not going away,” he said. “We have got to work with our other colleagues to make sure that that is understood, managed, and dealt with consistently.”