NHS Digital set to work closely with National Cyber Security Centre (NCSC) to boost healthcare sector cyber security capabilities.
NHS Digital aims to put the UK’s healthcare sector on a firm cyber security footing, according to Rob Shaw, chief operating officer at NHS Digital’s Data Security Centre.
Shaw said the cyber security threats were same for the healthcare sector as other sectors, but the additional challenge is providing security while the priority remains patient care.
In charting a fresh and effective approach, he said the NHS Digital has recognized that it is not about technology, but about protecting data.
A key part of this approach, said Shaw, is changing the culture and attitudes of people to data protection, which requires leadership.
“We need a better culture [around cyber security] because it cannot just be something that is added on at the end,” he said.
To help ensure that cyber security is an inherent part of everything the UK healthcare sector does, NHS Digital has developed 10 standards.
“Although the amount of malicious traffic on the national NHS network (N3) is around the same level of other sectors of 0.3%, security and integrity of data in healthcare is absolutely critical,” said Shaw.
However, he said the standards were regulatory in intention, but aimed at enabling a secure healthcare sector and increasing patient trust.
Underlining that cyber security is not just about technology, he said most cyber attacks start with social engineering.
Just like other sectors, he said healthcare organisations are regularly targeted by spoofed emails that appear to come from known senders and contain references to personal interests.
In one such incident, he said a healthcare employee was tricked into opening an email that appeared to come from a contact about a subject of common interest.
“When he clicked on the email it appeared to fail to open, but he had compromised his machine and it took two weeks before the compromise was detected,” said Shaw.
In establishing a cyber security-oriented culture, healthcare organizations need to seek to address such risks, he said.
Security risks in unsupported software
Another common challenge, especially in the healthcare sector, is the use of unsupported software, such as Microsoft Windows XP.
NHS Digital estimates that around 15% of Windows installations in the UK healthcare sector are XP, but Shaw said this is not easily or quickly fixed.
“In addition to the costs involved, there is also the problem of migrating legacy applications that run on hardware that will not support more modern operating systems, which adds to the cost of hardware upgrades,” he said.
NHS Digital is aware of the security risks posed by Windows XP. Because its security is no longer being updated by Microsoft, and XP’s vulnerabilities are well known, NHS Digital has developed various strategies for securing computers still running Windows XP.
Not all organizations know what to do, said Shaw, and that is where NHS Digital can help provide the necessary expertise. Similarly, NHS Digital can provide support where compromises occur.
“There are many threats and sometimes things do get through, which means the way organizations respond when they are breached is important,” he said.
NHS Digital is helping a growing number of hospitals and other healthcare organizations to respond to breaches through its computer emergency response team, CareCert.
“CareCert is making a difference. In a recent ransomware attack, CareCert’s incident response team was able to contain, monitor and eradicate the malware before it could take hold,” said Shaw.
The CareCert team and all the other services provided by NHS Digital, he said, are effectively shifting cyber security in UK healthcare from defence-only mode to detect mode.
Looking to the future, he said CareCert will be a “front door” to the services and support that will be available from the National Cyber Security Centre, which is due to begin operations on 1 October 2016.
“We will be working with the NCSC to provide access to specialists, access help on how to handle security incidents, and share information with and from other organizations,” said Shaw.
He called on healthcare organizations to engage with CareCert and not to overlook investing in people, saying personal responsibility in cyber security is key.
“Don’t fall into the trap of thinking cyber security does not affect patient care because it does, and don’t entrust the security of the many to the few because everyone needs to be involved,” said Shaw.