Cyber security guide for NHS Non-Executive Directors: Balancing risk

It's now over 4 years since the NHS was impacted by a global ransomware attack, known as WannaCry, which had a significant impact and highlighted security weaknesses across the NHS. The National Audit Office report found that the attack could have been prevented by the NHS following basic IT security best practice.

Progress has since been made to improve cyber security across the NHS, however the cyber threat has also grown. Healthcare organisations are now being targeted in increasingly sophisticated attacks that threaten the availability of vital systems and the exposure of sensitive patient data.

Whilst it's encouraging that many attacks have been stopped, it's also clear that there are some very significant cyber security weaknesses across the NHS. It's these weaknesses (also known as vulnerabilities) – for example, out-of-date IT systems – that attackers try to exploit.

As a result of the pandemic, the NHS is even more digitally dependent, and data is being shared more widely. Therefore, the impact of a successful cyber-attack for the targeted NHS organisation, the wider system and patients could be far greater than WannaCry.

Getting cyber security wrong could lead to a patient safety incident, disruption to health care services and reputational damage through the loss of sensitive information.

As with health and safety, it's the responsibility of every person in the organisation, specifically Boards. Non-Executive Directors (NEDs) on NHS Boards have a vital role to play in providing independent oversight and challenges to help their Board understand what cyber security risks the organisation is carrying and assess whether the right balance between security, business operations and cost is being met. 

Cyber security risks must be considered in the same way as any other business or clinical risk. However, for many NEDs, cyber security can be a daunting subject, not least because it’s technical and comes with its own language. This is why NHSX and NHS Digital have produced this short cyber security guide for NHS NEDs. It draws on the NCSC's Board Toolkit and aims to demonstrate how all NHS NEDs can contribute to keeping their organisation safe from cyber-attack.

NHS Boards must address a wide range of challenging risks and issues. We hope that you find this guide will help you to address the risk that cyber security presents to patient care.