This is the first article in a new series, the Critical Condition, exploring the cybersecurity challenges faced by providers of the UK’s critical national infrastructure. This piece looks at the healthcare sector.
Pandemics come in many forms. Prior to the Covid-19 outbreak there was another virus that overwhelmed the NHS and brought many of its essential services to a standstill.
The WannaCry cyberattack on 12 May 2017 – a global ransomware virus, which locked people out their devices in demand for payment and infected 200,000 computers in more than 100 countries – affected more than a third of NHS trusts in England and 595 GP practices. Staff were shut out of their computers and emails, thousands of appointments and operations were cancelled, and patients requiring urgent treatment had to travel to further away accident and emergency (A&E) departments. Later in the day a security researcher managed to activate a “kill switch” and stop the virus.
The attack caused financial and logistical chaos. The Department for Health and Social Care (DHSC) estimated the cost at £92m, more than three quarters of which was designated to IT restoration and improvement. The other effects were harder to quantify. Writing in the scientific journal Nature researchers at Imperial College London concluded that while WannaCry “may not have led to a direct impact on mortality, we are unable to ascertain the true impact on complications, patient morbidity, or changes in care processes that resulted from the attack”.
Mike Fell, executive director of national cybersecurity operations at NHS Digital, which oversees the health service’s federated IT operations, tells Spotlight that the repairs undertaken after the attack were essential. “As well as rebuilding it as it was, one also needs to harden it, to make sure that the same thing doesn’t happen tomorrow,” he says. “So that’s where there are significant costs involved.”
NHS Digital runs national services such as the NHS app and the 111 service. The role of Fell’s team is to ensure NHS Digital’s own systems are secure, and to support other organisations across the health and social care sector in England in preventing cyberattacks. Before joining the NHS this year Fell was in charge of cybersecurity at HM Revenue and Customs (HMRC) for five years. “The two things you probably don’t want your neighbour to know are how much money you earned last year and the last thing you spoke to a healthcare professional about,” he says.
Indeed, healthcare is one of 13 sectors recognised as critical national infrastructure by the government’s National Cyber Security Centre (NCSC), alongside others such as food, finance, energy and transport. A large cyberattack on one of these sectors can cause severe societal disruption, loss of essential services, and in some cases loss of life.
Cybersecurity is particularly complex for the healthcare sector. The NHS has 1.5 million electronic devices and thousands of disparate organisations of varying size and digital competency. There are 7,454 GP practices. In short, Fell’s team does not have an easy job.
“You’re talking about everything from some of the most technologically-advanced research organisations in the country through to individual GP surgeries,” says Fell. “As a result of that, we can’t make any assumptions. We have to look at each case and maintain proportionate security.”
Despite the investment that has been made since 2017, cyberattacks have still slipped through the cracks. While not of the same scale, on 4 August this year an NHS external software provider called Advanced was hit by another ransomware virus, which affected NHS 111 urgent care and disrupted appointments, note-taking systems and patient check-in processes. NHS Digital and NHS England have declined to comment on the recent attack but Simon Short, chief operating officer at Advanced, told Spotlight that the software company had worked “tirelessly to accelerate the restoration of our systems”.
Fell says his team is constantly devising new ways to secure the health and social care sector’s systems. “Getting cybersecurity wrong has the potential to cause patient harm and to undermine public trust,” he says. “Both these things are critical for me because data saves lives, and data makes it easier for the public to access health services, like booking a Covid vaccine. We’ve learnt a lot of lessons from WannaCry and other incidents, and we continue to learn.”
NHS Digital has increased its preventative work since WannaCry to help organisations meet basic security standards. This includes guidelines and educational resources, such as the data security and protection toolkit, a mandatory online tool used to teach and test NHS employees on data security skills, and a cybersecurity guide for senior leaders and board members. Given the WannaCry attack exploited a vulnerability in outdated software (a common cause of cyber-breaches), NHS Digital has also done a lot of work to get organisations off unsupported software and hardware that can no longer receive security updates.
Fell believes that those working in cybersecurity need to demystify the terminology that surrounds it and emphasise how individual complacency has real-life consequences. NHS Digital runs a communications campaign for NHS staff called Keep IT Confidential to teach NHS workers in an accessible way about risks and the simple ways they can mitigate them, such as keeping files organised and ensuring their screens are locked when they leave their desks.
“Talk of cyber-risk is often quite techie or bizarre,” says Fell. “We talk about phishing, whaling and denial of service. Ultimately, what we’re talking about isn’t a cyber-risk – it’s a risk that a cyber-event prevents successful patient outcomes.”
NHS Digital has also employed new technology such as a centralised firewall system called Secure Boundary, which detects and blocks most attacks, and centralised surveillance called the high severity alert system. This entails the NHS Digital team monitoring and assessing thousands of known vulnerabilities in hardware and software used in the NHS. They identify the ones that could cause the most damage, based on the potential scale of the impact and whether they could be exploited remotely, and notify all NHS organisations to prioritise fixing them. All organisations are obliged to report back to NHS Digital to show how they have done this.
The establishment of new cybersecurity groups has also made it easier to share intelligence across the sector. The Cyber Associates Network brings together people working in cybersecurity in health and social care to share best practice, while the Central Data Security Centre, within NHS Digital, offers advice and support for any organisations that need it.
Despite this centralised support, Fell is adamant that individual organisations, whether a major hospital or a small GP surgery, need to take responsibility for their own security. “We provide a level of protection at the centre through monitoring and building public trust,” he says. “But we also support individual organisations to own and manage their own risk. Individual organisations that contribute to the NHS, whether private or public, have an obligation to keep themselves secure and resilient from cyberattacks.”
For less technically savvy organisations especially, small changes can make a big difference in reducing online threats. Using multi-factor authentication to access systems, for instance, is “key to upping the barrier”, says Fell, as is using strong passwords. The focus should be on the “hard-to-do foundations more than the shiny new technology”, he says. So, rather than investing all energy and money in state-of-the-art laptops or the most expensive electronic patient records system, NHS organisations should instead stop using unsupported IT, integrate cybersecurity into the design of any new digital services, monitor and audit systems regularly, and limit access to software and patient data to those who need it.
A sector as vast and varied as health and social care will always struggle to be infallible when it comes to cybersecurity. The breadth of its digital platforms, from appointment booking and blood taking services to electronic prescriptions and cancer screening, makes it difficult to mitigate against all possible breaches. But all organisations can make a difference by following NHS Digital’s advice and making small adjustments to everyday practice, says Fell. He believes that persuading individuals to adopt better practices is integral to increasing the security of the NHS. “I think I’ve got one of the best jobs in the public sector,” he says. “It’s different every day. And ultimately, it’s a people game.”