Skip to main content
Blog

Effective cyber security has never mattered so much

John Noble, the non-executive director who leads on information and cyber security for the NHS Digital Board, looks at the cyber threat facing the NHS as it deals with the coronavirus (COVID-19) pandemic.

Author:
Date:
Head and shoulders picture of John Noble who leads on cyber security on the NHS Digital board

John Noble

I come from a family of doctors, nurses and social workers so the NHS has always been a priority for me. There are few places where it is more important to ensure our cyber defences are strong.

I first worked with the NHS as Director of Incident Management at the National Cyber Security Centre (NCSC) at the time of the WannaCry incident, which was a fascinating, but also a worrying experience. Though the attack was not targeted specifically at the NHS, we are all aware of the impact it had.

As the weekly NCSC threat report highlights, we should be in no doubt that there are groups and individuals who want to target the NHS and other healthcare organisations.  Of great concern are ransomware attacks mounted by large and sophisticated criminal groups.

There are always going to be more opportunities for business email fraud when people are working remotely.

These have already impacted many organisations, including hospitals and companies who are within the NHS's supply chain. A significant ransomware attack in the current climate would have major implications for the healthcare system, so that's the area we are particularly focussed on.

But we must also be prepared for other hostile actors. There are always going to be more opportunities for business email fraud when people are working remotely, and we are seeing an increase in lower-level criminals using the coronavirus crisis to exploit that fact.

The importance of ensuring that critical NHS systems remain available has never been greater.

As the Director of GCHQ recently explained, there are also nation states who are using cyber during the pandemic to promote their national interest. The importance of ensuring that critical NHS systems remain available has never been greater.

In the WannaCry aftermath, a lot of criticism was levelled at the NHS, but I think it's important to remember how difficult it can be in any organisation, but particularly in healthcare, to strike the right balance between security, usability and cost.

After WannaCry

After WannaCry, NHS Digital, working with the Department of Health and Social Care, developed a programme of work to support trusts that resulted in the creation of:

  • a Cyber Security Operations Centre, which blocks around 21 million items of malicious activity every month
  • a network of Cyber Associates to own and advise on cyber security within the NHS, with over 1,000 members in 700 NHS organisations
  • the Data Security and Protection Toolkit (DSPT), which means that all NHS and social care organisations are working towards the same national standards
  • the creation of regional leads to support local delivery of cyber security
  • the provision of licences to enable all NHS Trusts to upgrade to Windows 10, a key part of which is the provision of Microsoft’s Advanced Threat Protection (ATP). This now provides endpoint security across 1.3 million connected devices, giving the NHS a view on cyber threat status and vulnerabilities, both locally and nationally.
  • NHS Digital also launched NHS Secure Boundary, a centrally funded solution that protects NHS organisations from the most sophisticated cyber threats

We have to understand what already exists, so everyone has a consistent baseline. As we seek to improve cyber security standards, NHS Digital's role is very much an enabler rather than an enforcer. A partnership approach will always be the best way to tackle these sort of challenges.

An opportunity to tackle key cyber risks

The crisis has enabled many technological initiatives to be developed at pace such as enabling people to create self isolation notes through the NHS 111 online service and participate in online consultations with their GPs.

At the same time, the crisis has opened up an opportunity to address key cyber risks. NHS Digital has been working closely with the NCSC and NHSX to create a COVID-19 Cyber Action Plan.

If a vulnerability is reported in a trust, approved commercial companies can offer on-site support much quicker under a contract operated by our Data Security Centre, giving the trusts and Clinical Commissioning Groups (CCGs) the additional resource and expertise they may need to defend themselves.

It is critical that during the ever-increasing digitalisation of the health and care system, we always remain alert to the heightened risks of cyber attacks.

The NCSC is working very closely with NHS Digital whilst continuing to adhere to all its usual information governance and security safeguards. Sensitive data about patients must only be shared with those who have a real need to see it.

It is critical that during the ever-increasing digitalisation of the health and care system, we always remain alert to the heightened risk of cyber-attacks. I would like to thank everyone in the NHS who is involved in cyber security and information governance. They are playing a vital role in keeping our systems and everyone's data safe. Never has that mattered more.

Related subjects

  • We help NHS organisations to manage and improve their cyber security.
  • NHS Digital's Peter Robinson takes us through his journey from apprentice to professional within the Cyber Security team.
  • Hackers and cyber attacks feature in many films and television programmes, but are these portrayals accurate? Hecham Mrabet, cyber security specialist at NHS Digital, gives us a behind-the-scenes look at how a cyber security centre runs in real life.
  • Cyber security still has an out-dated image of being a masculine profession. Charlotte Roe, Cyber Security Apprentice at NHS Digital, talks about her job and why women are needed in the world of cyber.

Share this page

Share on Facebook
Share on Twitter
Share on LinkedIn
John Noble
John Noble

John is a non-executive director on the NHS Digital Board and leads for information and cyber security. He also chairs the Information and Cyber Security Committee (IACSC).

Latest blogs

A nurse checks out additional information on a patient's Summary Care Record.
How is additional information in Summary Care Records being used?
By Tamara Farrar. 17 December 2020
As the coronavirus hit us in March, the Government made a significant change to the sharing of patient information for those working on the frontline in the NHS. Tamara Farrar, a user researcher at NHS Digital, looked at what that extra information meant for professionals in a wide range of different health and care settings.
Susie Day smiling
How the NHS App is upping its game
By Susie Day. 24 November 2020
Susie Day, Programme Head for the NHS App, explains how new features help support patients and clinicians to meet an increasing need for remote access to services during the pandemic and how they will improve healthcare after the current crisis.
Photo of James Reith working from home.
Demystifying the integration process for the NHS App
By James Reith. 19 November 2020
James Reith, Content Designer for the NHS App, explains how the NHS App integration team have improved their integration process to make it easier for partner services to innovate.
Last edited: 3 August 2020 7:55 am