Effective cyber security has never mattered so much

As the weekly NCSC threat report highlights, we should be in no doubt that there are groups and individuals who want to target the NHS and other healthcare organisations.  Of great concern are ransomware attacks mounted by large and sophisticated criminal groups.

These have already impacted many organisations, including hospitals and companies who are within the NHS's supply chain. A significant ransomware attack in the current climate would have major implications for the healthcare system, so that's the area we are particularly focussed on.

But we must also be prepared for other hostile actors. There are always going to be more opportunities for business email fraud when people are working remotely, and we are seeing an increase in lower-level criminals using the coronavirus crisis to exploit that fact.

As the Director of GCHQ recently explained, there are also nation states who are using cyber during the pandemic to promote their national interest. The importance of ensuring that critical NHS systems remain available has never been greater.

In the WannaCry aftermath, a lot of criticism was levelled at the NHS, but I think it's important to remember how difficult it can be in any organisation, but particularly in healthcare, to strike the right balance between security, usability and cost.

After WannaCry, NHS Digital, working with the Department of Health and Social Care, developed a programme of work to support trusts that resulted in the creation of:

• a Cyber Security Operations Centre, which blocks around 21 million items of malicious activity every month
• a network of Cyber Associates to own and advise on cyber security within the NHS, with over 1,000 members in 700 NHS organisations
• the Data Security and Protection Toolkit (DSPT), which means that all NHS and social care organisations are working towards the same national standards
• the creation of regional leads to support local delivery of cyber security
• the provision of licences to enable all NHS Trusts to upgrade to Windows 10, a key part of which is the provision of Microsoft’s Advanced Threat Protection (ATP). This now provides endpoint security across 1.3 million connected devices, giving the NHS a view on cyber threat status and vulnerabilities, both locally and nationally.
• NHS Digital also launched NHS Secure Boundary, a centrally funded solution that protects NHS organisations from the most sophisticated cyber threats

We have to understand what already exists, so everyone has a consistent baseline. As we seek to improve cyber security standards, NHS Digital's role is very much an enabler rather than an enforcer. A partnership approach will always be the best way to tackle these sort of challenges.

The crisis has enabled many technological initiatives to be developed at pace such as enabling people to create self isolation notes through the NHS 111 online service and participate in online consultations with their GPs.

At the same time, the crisis has opened up an opportunity to address key cyber risks. NHS Digital has been working closely with the NCSC and NHSX to create a COVID-19 Cyber Action Plan.

If a vulnerability is reported in a trust, approved commercial companies can offer on-site support much quicker under a contract operated by our Data Security Centre, giving the trusts and Clinical Commissioning Groups (CCGs) the additional resource and expertise they may need to defend themselves.

The NCSC is working very closely with NHS Digital whilst continuing to adhere to all its usual information governance and security safeguards. Sensitive data about patients must only be shared with those who have a real need to see it.

It is critical that during the ever-increasing digitalisation of the health and care system, we always remain alert to the heightened risk of cyber-attacks. I would like to thank everyone in the NHS who is involved in cyber security and information governance. They are playing a vital role in keeping our systems and everyone's data safe. Never has that mattered more.