How we're improving cyber security

First, we have delivered a world-class Cyber Security Operations Centre (CSOC) that provides a central source of cyber-security intelligence and incident support to the system and acts a single point of coordination with NHS and external partners. We continue to work with NHS England, NHSX, the Department of Health and Social Care, the National Cyber Security Centre (NCSC) and other partners to strengthen this capability. NHS Digital’s Data Security Centre is the lead partner on data security for the health and social care system. We help health and care organisations to meet their responsibilities while using data and technology to improve outcomes. 

System-wide monitoring capabilities have improved markedly. The introduction of Windows Advanced Threat Protection (ATP) has allowed us to monitor threats and vulnerabilities on individual machines across thousands of local organisations. We now have more than one million NHS devices – about 73% – under this level of scrutiny.

And the system is more than just a tool for our national team. It also transforms local capabilities. Morecambe Bay was the first Trust in the country to implement ATP in May 2018. ATP allows them to see when a user has opened a suspicious email attachment and then work back through a timeline to see what the user was doing before that. Its alerts provide information about what the malware has done and what machines it has tried to communicate with.

On average, NHS Digital stops more than half a billion malicious emails every three months. Every month we stop around 21 million incidents of malicious activity in the national network, and since September 2018 we have stopped three ’zero day’ attacks, where there is hardly any time – zero days – between a vulnerability being detected and an attack. We provide threat intelligence articles identifying potential threats and we create custom alerts for local partners so they have the information and guidance they need to act effectively and quickly. NHS Digital’s Data Security Centre is the lead partner on data security for the health and social care system. We help health and care organisations to meet their responsibilities while using data and technology to improve outcomes. 

We also play an important part in the wider cyber security ecosystem. In the past year, we identified two new, unidentified threats and passed that information to the NCSC and the wider cyber community so that cyber measures across the country could be updated.

We appointed IBM as CSOC’s strategic partner, and this partnership is adding new dimensions to our capability. For example, we are moving critical national applications onto an enhanced security information and event management (SIEM) system, which provides real-time analysis of security alerts in key applications and the network. We are using the relationship with IBM to support the development of automated threat-hunting and machine-learning capabilities.

Building on the success of the on-site assessments, we are now offering a more extensive package of services: the Cyber Security Support Model (CSSM). This includes an on-site assessment and is underpinned by GCHQ-accredited training for board members. More than 160 board training sessions have been delivered. CSSM also includes technical support to address vulnerabilities and help in implementing processes and policies that will make good practice stick, and a service to embed cyber risk management into organisations. Forty per cent of trusts have already used these services.

Our Data and Security Protection Toolkit (DSPT) is another key part of our armoury. It allows organisations to self-assess their data and cyber security practices every year against rigorous standards, and replaced our Information Governance Toolkit in April 2018. We revised it in June 2019 to bring it more closely in line with external security standards including Cyber Essentials, EU NIS, Minimum Cyber Security Standard (MCSS) and the NCSC Cyber Assessment Framework. 

All NHS organisations, local authorities and other bodies processing confidential health and adult social care data are required to complete the DSPT and all large NHS organisations must audit their submission every year. So far, about 28,000 self-assessments have been completed.

We are working with our partners to build the culture and widely shared expertise that we need to protect the system. In May 2019, we launched the Cyber Associates Network to bring together the community of cyber and security professionals. It currently has over 700 members from 250 organisations. It is a peer-led network that allows cyber professionals from across the system to share ideas, best practice and knowledge, while also providing us with insights into service improvement opportunities, new initiatives, and a strategic communications channel. We have two events scheduled for November 2019, which will provide members with an opportunity to discuss strategic cyber security issues and topics – such as secure digital transformation – as well as to understand more about what cyber services and products we offer to health and care.

And in September 2019 we launched a national cyber awareness campaign, which provides a package of communications materials to local organisations to drive awareness and understanding among their staff. Almost 300 individual organisations downloaded the materials in the first few weeks of the campaign.

Over the next two years, we will provide best-practice standards, cyber security architectural patterns, and process and policy templates to local health and care organisations. A new Cyber Business Intelligence and Risk platform will change how local organisations and arms length bodies understand, manage, and plan for cyber risk, and we will continue to work to engrain cyber secure behaviours into the day-to-day delivery of patient outcomes and care. 

We cannot be complacent. The threat we face is growing and constantly changing – and it will require a continued and concerted effort across the health and care system to effectively combat it. What we can say is that we are in a much better place than we were in 2017 to achieve that.