Our delivery directorates: 4. Live Services and Cyber Security

We achieved 99.95% average availability across all of our services in 2018-19. These include some of the largest secure IT services in the world – and it is critically important for our health and care system that they are safe, fast and reliable.

In October 2018, total monthly transactions on the NHS Spine, the NHS’s core information sharing infrastructure, reached one billion. The system was often handling upwards of 250,000 users simultaneously, but achieved 99.99% reliability throughout the year.

The Care Identity Service is used by staff to log on to the Spine. It handled an average of 8.5 million unique logins a month in 2018-19, with 99.98% reliability.

NHSmail added 200,000 new accounts to take its total user base to 1.5 million and operated with 99.99% reliability.

We also saw a steady growth in the use of important services on the Spine. The NHS e-Referral Service saw a steady increase in volumes. Bookings peaked at just under 1.4 million in October 2018, a 40% increase on the previous year.

About 1.5 million more Summary Care Records (SCR) were accessed in 2018 than in 2017, up 24%, and the number of patients with additional information on their SCR grew 14% to 2.2 million in the three months to December 2018 alone.

This extra information – such as medical history, immunisations and background on medications – can give clinicians vital context when making decisions about patients they don’t know.

We introduced important new services. NHS 111 online processed over one million searches a month. The Data Security and Protection Toolkit was launched in April 2018, providing organisations with an online resource to measure their performance against the National Data Guardian’s 10 data security standards. Over the course of the year, more than 27,000 organisations including all trusts in England completed their baseline assessments and the service maintained a 99.9% availability rate.

The NHS App went live in December 2018 and is expected to significantly increase the public’s use of services including appointment booking, electronic prescriptions and 111 online.

Since 2017, we have been transferring the operation of established services out of development programmes and consolidating them in the Live Services and Cyber Security directorate. Removing services from project silos allows us to realise economies of scale and develop better supplier management, product governance, clinical overview, change assessment and day-to-day delivery across our services.

The services and products that have moved into Live Services are NHSmail, the Health and Justice Information System, Summary Care Record and Summary Care Record application, the Spine Mini-Services Provider, Interface Mechanism 1, Digital Learning Solutions and the Lorenzo (DXC) contract.

In 2019-20, we also plan to move the Child Protection - Information Sharing system, the e-Referral Service, the Electronic Prescription Service, Advanced Threat Protection, Apps and Wearables and the National Data Opt-out systems.

We are also working to establish new services in the coming year, particularly systems connected to Data Processing Services and the replacement for the GP Systems of Choice (GPSoC) contract being developed by the GP IT Futures programme.

Our Cyber Security Operations Centre (CSOC) is the central source of cyber-security intelligence and incident support and we worked with NHS England, the Department of Health and Social Care, the National Cyber Security Centre and other partners to strengthen the system’s overall resilience in 2018-19.

System-wide monitoring capabilities have significantly improved since the WannaCry ransomware incident in May 2017. The introduction of Windows Advanced Threat Protection (ATP) has allowed us to monitor threats and vulnerabilities on individual machines across thousands of local organisations. We now have 840,000 NHS devices (about 70%) under this level of scrutiny.

In December alone, we blocked more than five million suspicious transactions on NHS and social care computers and provided more than 80 threat intelligence articles, identifying potential threats and providing advice on combatting them.

We create custom alerts for local partners so they have the information and guidance they need to act effectively – and we are applying lean manufacturing principles to streamlining and accelerating the production of these alerts. We also play an important part in the wider cyber security ecosystem. During the year, we identified two new and unidentified threats and passed the information to the National Cyber Security Centre (NCSC) and the wider cyber community so that anti-virus measures could be updated.

We appointed IBM as the Cyber Security Operations Centre’s strategic partner in June 2018. This partnership will help us deliver a wide range of improvements to our service. For example, we are receiving engineer and analyst support to help move critical national applications onto our security information and event management (SIEM) system, which provides real-time analysis of security alerts in key applications and network hardware.

We can now also provide threat scanning tools for internet-facing services run by local organisations and online training licenses for 500 IT and security staff across the system. We are using the relationship with IBM to help us develop our automated threat-hunting and machine-learning capabilities.

The updated Data Security and Protection Toolkit was introduced at the start of 2018-19. It helps organisations across health and care measure their cyber preparedness and support improvement, and we have improved and honed its content through the year.

To date, more than 27,000 health and care organisations have signed up and we have seen significantly more engagement from small care organisations over the past year.

We have now conducted security assessments in all NHS trusts. We use a tailored version of the NCSC Cyber  Essentials Plus standard and have seen a seven percentage point improvement in the average overall scores of organisations assessed in 2018-19, compared with the previous year.

Building on the success of the on-site assessments, we are now offering a more extensive package of services. The Cyber Security Support Model includes an on-site assessment and is underpinned by GCHQ-accredited training for board members to ensure buy-in from leadership. It also includes technical support to address vulnerabilities and help in implementing processes and policies that will make good practice stick.

Stephen Ion, Desktop and Server Infrastructure Manager at the University Hospitals of Morecambe Bay NHS Foundation Trust, says improved cyber security tools have transformed his ability to protect his organisation’s systems.

Morecambe Bay was the first trust in the country to implement Windows Defender Advanced Threat Protection (ATP), in May last year.

Continuous monitoring of abnormal activity means Stephen and his team are instantly alerted if systems are at risk.

“ATP is invaluable to us,” Stephen says. “We used to get warnings and malware alerts, but, since we’ve implemented ATP, we are learning things that would never previously have been picked up.

“For example, you can see when a user opened a suspicious email attachment and you can work back through a timeline to see what the user was doing prior to that. The ATP alert tells you what else the malware has done and where else it’s tried to talk to, so we can then carry out remediation.”

“It is not just monitoring our organisation, it is monitoring the whole NHS,” Stephen says.

“Each trust feeds into the same repository of alerts and malware detections. If we had an alert on a number of PCs, instead of us working independently, NHS Digital gets the bigger picture.

“They can coordinate a response and alert the whole NHS that this issue is happening nationwide,” he says. “Ultimately this benefits our patients – our clinical systems need to be available so we can treat patients and the confidential data they provide us with needs to be kept safe.”