A cyber security strategy for health and adult social care has been published by the Department of Health and Social Care (DHSC). It seeks to promote cyber resilience across the sector by 2030.
Health Minister Lord Markham said: “We’re harnessing the power of technology to deliver better, safer care to people across the country – but at the same time it’s crucial we’re also bolstering the defences of our health and care services. This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future. This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”
The DHSC proposes to publish a ‘national implementation plan’ by summer 2023. In a foreword to the document, Lord Markham acknowledged that the UK’s health and social care services have ‘complex, interdependent systems with different risks and needs’ but described cyber security as ‘a foundational business need’. Also writing forewords are Phil Huggins, National Chief Information Security Officer; and Mike Fell, Executive Director of National Cyber Operations.
The document quotes the 2022 ransomware attack on the Health Service Executive in the Republic of Ireland; and the 2017 WannaCry ransomware, that found ‘many NHS devices – the majority of which were running a supported but unpatched operating system – were vulnerable to this untargeted attack’. The document touches on the ‘challenges;’ to good cyber in the NHS, such as supply chain vulnerabilities, unclear accountability and a limited cyber workforce, due to a ‘UK-wide shortfall of cyber professionals’.
Proposed are five ‘pillars’: a ‘focus on the greatest risks and harms’; better integration; a substantial increase in the numbers and expertise of cyber professionals (‘people and culture’); ‘build secure for the future’ (including the supply chain); and ‘exemplary response and recovery’ (on the principle that a cyber breach is a case of ‘when not if’).
Stephen Oliver, General Manager North EMEA at Gigamon, said: “It’s promising to see government take action and set out a strategy to boost cyber resilience in the NHS. We’re already seeing a number of industries and regions bolstering their regulatory approach to cybersecurity – with DORA for EU Financial Services, and the latest Whitehouse Cyber Strategy in the US – so it’s critical we seek to protect the UK public sector and healthcare bodies.
“As the healthcare sector has continued its much-needed digital transformation over recent years, complexity has increased alongside. Many legacy systems are still in place, with new technologies and cloud infrastructure being integrated, yet tools designed for on-premises simply lack the insight critical for virtual environments. This leads to greater opportunities for cybercriminals to launch an attack.
“However, with budgets already overstretched in a challenging economic climate, the good news is that healthcare organisations are unlikely to need a complete overhaul of current IT infrastructure. Instead, they need to optimise what’s in place and ensure they have a ‘single pane of glass’ view powered by deep observability into all moving data across their entire IT infrastructure. This then eradicates blind spots and reduces the opportunity for hackers to exploit weak points un-detected.”
And Rick Jones, CEO and Co-Founder, DigitalXRAID said: “It’s crucial that we continue to dedicate time and resource to boosting the cybersecurity of the public sector and the NHS in particular, especially given previous cyberattacks and their long-lasting effects. Months on from the ransomware attack on NHS IT systems, disruption was still being reported. The incident had a knock-on effect on the quality of care that NHS trusts could offer; patient notes became paper files and patient lists were unavailable, leading to missed appointments.
“One of the biggest risks for healthcare, that we hope to see a focus on in this new government cyber strategy, is IT supply chain attacks. Cybercriminals have learned that leveraging back-door entry through less resourced companies in a supply chain is an effective way to exploit small businesses and gain access to larger ones – in this case, one of the largest public sector bodies in the UK. To mitigate this risk, organisations should at minimum contractually agree data breach liability with third parties. On top of this, regular cybersecurity awareness training alongside the implementation a Zero Trust architecture will also reduce risk and halt lateral movement of attackers inside a network. A Security Operations Centre (SOC) to monitor, detect and mitigate threats is also increasingly essential in today’s threat landscape.”