Patching up NHS cybersecurity: five lessons to be learned

This content relates to the following topics:

Earlier this month, the NHS was hit by the largest cyber incident in its short digital history. The incident led to significant disruption of services for several days, with networks and email shut down as a precaution to contain the spread to vulnerable PCs. Ambulances were diverted from some trusts struggling to cope without IT systems in their emergency departments.

In the days following the attack, many have been quick to point the finger: at managers, at the national bodies, and at government. Laying blame is easy, but the harder task is to learn from the errors so that we can reduce the likelihood and limit the damage of similar incidents in the future. So what lessons are there for the NHS and government?

Cybersecurity is everyone’s responsibility

Mitigating the risk of initial infection relies on IT teams across trusts and the millions of diverse workers they support following routine security advice: applying security patches promptly to defend against vulnerability in operating systems; keeping anti-virus software up to date; avoiding unexpected and unknown email attachments and links. Maintaining good practice requires governance structures, but, more importantly, requires recognition from all members of staff – from the ward to the board – that everyone needs to take steps to minimise the risk of cyberattacks.

Investment in IT must be prioritised

Guidance from government has been for NHS organisations to move away from unsupported software such as Windows XP. This is easier said than done. Many machines that run XP do so because it can interface with older equipment, such as MRI scanners. Developing new software or buying new machines running modern, less vulnerable software can cost thousands or millions of pounds.

However, investment in IT has frequently been deprioritised. The trade-off is often between replacing a machine that is running old, unprotected software and replacing a machine that is falling apart. But these decisions are made all the more difficult with enormous pressure to reduce deficits.

Deprioritisation of IT at both national and local level is nothing new, but the gap between the level of ambition and the reality of funding pressures has never been greater.

We need robust local and national contingency plans for cyberattacks that directly affect care

Deprioritsation of cybersecurity can occur because it gets characterised as a governance risk, with the dangers to provision of care that occur when systems become unusable as a result of cyberattacks taking a backseat to privacy concerns. It is evident from recent experience that local and national contingency plans are not geared up for an attack that affects care. Organisations need to develop and review effective contingency plans, as has been recommended by the National Data Guardian.

National bodies and government must ensure minimum standards for cybersecurity and governance across the sector

It is unclear whether NHS Digital and NHS England had contingency plans in place or the capacity to effectively support NHS organisations during the recent attack. It is heartening to see that the Care Quality Commission has plans to begin reviewing data security capabilities – this should also encourage organisations to see these as risks to clinical care.

The government must remove the barriers to the NHS moving forward with cybersecurity

Progress in this area has been slowed by the government’s delay in responding to the National Data Guardian’s review (a result of the government’s conflation of data security issues with policy questions about data-sharing and consent). This has reinforced the idea that security safeguards are primarily about avoiding privacy breaches, rather than patient safety. The government also needs to face up to its responsibility for boosting capital budgets so that NHS organisations aren’t forced to decide between replacing medical equipment, such as MRI scanners, running off unsecured software and replacing medical equipment that is falling apart.

While the NHS does not appear to have been particularly targeted in the recent WannaCry ransomware attack, it was certainly extensively affected. These failures are not technological – they are human, organisational and strategic errors. And they require human, organisational and strategic solutions.