Over the last two years, the NHS has embarked on one of the most ambitious and aggressive cyber security programmes seen in any health and care system in the world.
A huge amount of work has been done, both at the local and national level, and we have seen significant improvements in three key areas:
better cyber monitoring, threat intelligence, and incident responses
better support and guidance for local organisations
better cyber training and greater awareness and engagement with cyber security best practice among NHS staff and organisations
We know that more still needs to be done to maintain the safety, privacy and trust of patients as we improve our health and care system’s use of data and digital technology, but we have made significant progress in several key areas.
Strength through partnerships
First, we have delivered a world-class Cyber Security Operations Centre (CSOC) that provides a central source of cyber-security intelligence and incident support to the system and acts a single point of coordination with NHS and external partners. We continue to work with NHS England, NHSX, the Department of Health and Social Care, the National Cyber Security Centre (NCSC) and other partners to strengthen this capability. NHS Digital’s Data Security Centre is the lead partner on data security for the health and social care system. We help health and care organisations to meet their responsibilities while using data and technology to improve outcomes.
System-wide monitoring capabilities have improved markedly. The introduction of Windows Advanced Threat Protection (ATP) has allowed us to monitor threats and vulnerabilities on individual machines across thousands of local organisations. We now have more than one million NHS devices – about 73% – under this level of scrutiny.
And the system is more than just a tool for our national team. It also transforms local capabilities. Morecambe Bay was the first Trust in the country to implement ATP in May 2018. ATP allows them to see when a user has opened a suspicious email attachment and then work back through a timeline to see what the user was doing before that. Its alerts provide information about what the malware has done and what machines it has tried to communicate with.
Tackling a persistent threat
On average, NHS Digital stops more than half a billion malicious emails every three months. Every month we stop around 21 million incidents of malicious activity in the national network, and since September 2018 we have stopped three ’zero day’ attacks, where there is hardly any time – zero days – between a vulnerability being detected and an attack. We provide threat intelligence articles identifying potential threats and we create custom alerts for local partners so they have the information and guidance they need to act effectively and quickly. NHS Digital’s Data Security Centre is the lead partner on data security for the health and social care system. We help health and care organisations to meet their responsibilities while using data and technology to improve outcomes.
We also play an important part in the wider cyber security ecosystem. In the past year, we identified two new, unidentified threats and passed that information to the NCSC and the wider cyber community so that cyber measures across the country could be updated.
We appointed IBM as CSOC’s strategic partner, and this partnership is adding new dimensions to our capability. For example, we are moving critical national applications onto an enhanced security information and event management (SIEM) system, which provides real-time analysis of security alerts in key applications and the network. We are using the relationship with IBM to support the development of automated threat-hunting and machine-learning capabilities.
We cannot be complacent. The threat we face is growing and constantly changing – and it will require a continued and concerted effort across the health and care system to effectively combat it.
In September 2019, we announced a new Secure Boundary deal with Accenture to deliver additional security monitoring and prevention defences for the multiple internet connections in use across the system. We now provide threat scanning tools for internet-facing services run by local organisations and have also opened up online training licenses for IT and security staff to improve skills across the system.
A key recommendation from the NHS CIO’s WannaCry report was for all large NHS Organisations (422 as of August 2019) to achieve CE+ certification by June 2021. NHS Digital itself has been conducting on-site security assessments across the NHS trusts. This assessment covers compliance with the Cyber Essentials and IT HealthCheck standards and produces a score based on the readiness of an organisation to be CE+ certified. Since the NHS CIO’s recommendation, the average readiness score has risen from 48% at the time of the CIO’s report to 70% in September 2019.
Cyber Security Support Model
Building on the success of the on-site assessments, we are now offering a more extensive package of services: the Cyber Security Support Model (CSSM). This includes an on-site assessment and is underpinned by GCHQ-accredited training for board members. More than 160 board training sessions have been delivered. CSSM also includes technical support to address vulnerabilities and help in implementing processes and policies that will make good practice stick, and a service to embed cyber risk management into organisations. Forty per cent of trusts have already used these services.
Our Data and Security Protection Toolkit (DSPT) is another key part of our armoury. It allows organisations to self-assess their data and cyber security practices every year against rigorous standards, and replaced our Information Governance Toolkit in April 2018. We revised it in June 2019 to bring it more closely in line with external security standards including Cyber Essentials, EU NIS, Minimum Cyber Security Standard (MCSS) and the NCSC Cyber Assessment Framework.
All NHS organisations, local authorities and other bodies processing confidential health and adult social care data are required to complete the DSPT and all large NHS organisations must audit their submission every year. So far, about 28,000 self-assessments have been completed.
We are working with our partners to build the culture and widely shared expertise that we need to protect the system. In May 2019, we launched the Cyber Associates Network to bring together the community of cyber and security professionals. It currently has over 700 members from 250 organisations. It is a peer-led network that allows cyber professionals from across the system to share ideas, best practice and knowledge, while also providing us with insights into service improvement opportunities, new initiatives, and a strategic communications channel. We have two events scheduled for November 2019, which will provide members with an opportunity to discuss strategic cyber security issues and topics – such as secure digital transformation – as well as to understand more about what cyber services and products we offer to health and care.
And in September 2019 we launched a national cyber awareness campaign, which provides a package of communications materials to local organisations to drive awareness and understanding among their staff. Almost 300 individual organisations downloaded the materials in the first few weeks of the campaign.
Over the next two years, we will provide best-practice standards, cyber security architectural patterns, and process and policy templates to local health and care organisations. A new Cyber Business Intelligence and Risk platform will change how local organisations and arms length bodies understand, manage, and plan for cyber risk, and we will continue to work to engrain cyber secure behaviours into the day-to-day delivery of patient outcomes and care.
We cannot be complacent. The threat we face is growing and constantly changing – and it will require a continued and concerted effort across the health and care system to effectively combat it. What we can say is that we are in a much better place than we were in 2017 to achieve that.
We have more blogs to come in Cyber Awareness Month, looking at NHS Digital’s cyber workforce campaign, the partnership with NHSmail to deliver improved cyber security capabilities for the NHS Directory, and the future of data and cyber security in health and care.