Government will provide a plan to promote cyber resilience across the health and care sectors by 2030
The health sector is one of the most-vulnerable to cyber attacks, prompting the Government to issue a new strategy aimed at building cyber resilience
Patients will benefit from bolstered protection to the nation’s health and adult social care services as a new cyber security strategy for England is published today.
The Cyber Security Strategy for Health and Adult Social Care sets out a plan to promote cyber resilience across the sector by 2030, protecting services and the patients they support.
It will ensure services are better protected from cyber threats, further securing sensitive information and ensuring patients can continue accessing care safely as the NHS strives to cut waiting lists.
The announcement comes as technology is transforming how people access health and care services and information.
Currently more than 40 million people have an NHS login, helping them to book appointments, track referrals, and order medications online.
And over 50% of social care providers now use a digital social care record, helping staff to share vital information about the people they care for.
However, as digital systems are adopted to improve services, the sector has become a target for cyber criminals.
Health Minister, Lord Markham, said: “We are harnessing the power of technology to deliver better, safer care to people across the country. But, at the same time, it’s crucial we’re also bolstering the defences of our health and care services.
“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future.
“This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”
With over half (54%) of security professionals in the healthcare sector believing organisations are held back by the limitations of their existing cyber security infrastructure – overhauling legacy systems and bolstering security measures is imperative
Since the WannaCry cyber attack in 2017, which caused significant financial loss of more than £20m and service outages across the NHS, healthcare organisations have increased the number of cyber defence and response tools at their disposal.
Trusts now benefit from a direct link to NHS England’s Cyber Security Operations Centre (CSOC), providing real-time protection of any suspicious activity to approximately 1.7 million devices across the NHS network.
And around 21 million malicious emails are also blocked every month.
The new vision includes five key pillars to minimise the risk of cyber attacks and other cyber security issues, and to improve response and recovery following any incidents across health and social care systems including for adult social care, primary, and secondary care. These include:
A full implementation plan will be published in this summer setting out detailed activities and defining metrics to build and measure resilience over the next 2-3 years.
National cyber security teams will also work closely with local and regional health and care organisations to achieve the visions and aims of the strategy.
This work will include enhancing the NHS England CSOC, publishing a comprehensive and data-led landscape review of cyber security in adult social care, and updating the Data Security and Protection Toolkit (DSPT) to empower organisations to own their cyber risk.
Welcoming the publication, Douglas McKee, principal engineer and director of vulnerability research at Trellix, said: “The healthcare industry is a core part of our critical infrastructure, entrusted with protecting lives and patient data.
“Despite this, healthcare systems are often outdated and run on legacy software, meaning they are an easy target for threat actors and are particularly vulnerable to attack.
“In fact, our recent research has found the healthcare sector has become the most-prominent ransomware target, representing 16% of global attacks in Q4 2022.
Given the cost of the average cyber specialist is increasing, and resources are in much-shorter supply, it’s often very difficult for the NHS to fund the cyber protection it needs
“A successful breach could have a devastating impact on the healthcare industry, with the potential to compromise sensitive patient data or prevent healthcare professionals from providing necessary care.
“Amid rising risks, it is therefore crucial for healthcare organisations to enhance their security practices.
“With over half (54%) of security professionals in the healthcare sector believing organisations are held back by the limitations of their existing cyber security infrastructure – overhauling legacy systems and bolstering security measures is imperative.”
And Jonathan Bridges, chief innovation officer at Exponential-e, said the Government must set aside adequate funding to support NHS organisations in improving their cyber security.
He told BBH following publication of the strategy: “It’s very difficult for the NHS to prioritise spend on new technology. That’s why its systems have become outdated and vulnerable in many cases, and why the Government’s new strategy to protect the NHS from attack is so urgently needed.
Informed knowledge of cyber risk at an operational level, and how that risk could impact the quality of treatment, is fundamental to making sure patient care is never compromised in the event of attacks
“Budget is a big reason why current approaches are failing.
“Often it’s capital based, and the public sector’s ability to increase operational budgets is challenging, but modern-day security services are considered operational. So, given the cost of the average cyber specialist is increasing, and resources are in much-shorter supply, it’s often very difficult for the NHS to fund the cyber protection it needs.
“Investment in cyber education is equally important to raise awareness of its crucial role in frontline services.
“Advising operations leads to identify where their critical data is stored, where their vulnerabilities lie, and what tactical and strategic protection is needed to fix those vulnerabilities and stifle attacks, is a must.
“That informed knowledge of cyber risk at an operational level, and how that risk could impact the quality of treatment, is fundamental to making sure patient care is never compromised in the event of attacks.”