Cybersecurity is rightly claiming a place on board agendas across the country as NHS organisations look to safeguard patient care. As we increasingly rely on digital systems and technology to deliver services to patients, organisations are being faced with more complex risks from sophisticated hacking and cyberwarfare.
Any breach of security has the potential to impact how we care for patients by disrupting access to vital information. That information might be practical, operational information such as theatre booking software, right through to clinical systems that tell us which treatments are safe for our patients. When IT infrastructure is compromised, patient care is disrupted and delayed. But in building stronger defences, we must strike the right balance to ensure security itself does not become a barrier to care.
Building stronger defences
The widespread impact of the WannaCry ransomware attack five years ago prompted a significant leap forward in cybersecurity across the NHS, with major investment in new hardware and operating systems as well as security defences. At NHS Arden & GEM CSU, we have become adept at running regular audits for NHS organisations to assess the strength of their networks and infrastructure and ensure software patches and upgrades are applied more immediately. When attacks do happen, organisations are more able to monitor and learn from them to continuously improve. Accreditations such as Cyber Essentials and Cyber Essentials Plus have provided a robust framework for cybersecurity readiness, which is often baked into procurement processes for new digital systems, helping to embed cybersecurity into NHS infrastructure.
This work reduces the NHS’s vulnerability to breaches but is just the tip of the cybersecurity iceberg. Over one million people work for the NHS in the UK, many of whom will be involved in buying products and using systems that affect the security of our networks, which in turn impact patient safety. To minimise the risk of disruption or delay that can be caused by an attack on IT infrastructure, we must combine more robust systems with training and support for all NHS staff.
In the same way we have seen with areas such as data protection and core technology, cybersecurity needs to become entrenched. Digital influences are everywhere. From the computer that sits in a consulting room, to the instruments, fridges and hospital beds we use, Bluetooth and wi-fi capabilities are often built in and will need to ‘talk to’ a hospital or other NHS network. Until recently, many of these purchases have happened independently, and IT security standards have only been considered as departments seek to connect their devices. But every connected device is a potential backdoor into the wider infrastructure we rely on to deliver patient care.
By strengthening relationships with operational and clinical leads, and building a better understanding of what is needed to safeguard security standards, cybersecurity and IT teams can help their organisations gain the full benefit from the systems they are investing in. Whether it’s a small scale purchase or a major project, working in partnership will enable organisations to adopt a ‘security first’ approach to digital that will pay dividends in the future.
Striking the right balance
Most cyberattacks begin as so-called phishing attacks where individuals are tricked into giving away login or financial information, through sophisticated scams purporting to represent legitimate advice or information requests. Once a user has been tricked into releasing their email log-in details, this can quickly escalate, as email is often used to verify access to other systems.
One answer is to make logging in more complex, with multi-factor authentication and complex password rules – an approach already being used in some areas. But we have to balance this need for security with enabling NHS staff to work efficiently in highly pressurised environments. If we make security too time consuming, people are more likely to find a work around which could prove riskier than a simpler security policy. Awareness and education are crucial.
Leadership teams have an important role to play here, from ensuring cybersecurity is regularly on the board agenda, to modelling behaviour that demonstrates commitment to improving their own cybersecurity skills and actively encouraging better engagement with training and support.
At a time when the NHS has never been busier, there are multiple priorities competing for attention, but cyber breaches can cause havoc in terms of care delivery. Increasing digitisation in the NHS needs to be matched with security know-how that sees organisations embedding a robust, practical cybersecurity approach. With board level support, managers and clinical leaders can drive forward the required action to deliver a security-first approach that will protect the infrastructure underpinning patient care.
Top tips to minimise the risk of cyberattacks:
1. Choose longer, memorable passphrases and use them once only. Statistics show a three word passphrase is harder to crack than a shorter, random password – and it’s easier to remember. But don’t reuse a password or phrase on more than one account.
2. Restart your computer regularly. Essential security patches can only be properly deployed if your computer restarts, ideally every night, but at least weekly.
3. Act quickly if you think your computer or email account has been compromised. Tell your IT team immediately as there’s often a chance they can minimise or even eliminate the damage.
This article was originally written for National Health Executive. You can read it here in the July/August edition.