One of my constant gripes about the NHS is the way in which it tries to control centrally those things which really are better dealt with peripherally while, simultaneously, allowing decisions and actions to be taken on the ground that really need centralised directions and/or funding.
Rather typically, this seems to have happened to the Health and Social Care Information Centre over cyber security.
A nationwide NHS – fabricated from many disparate purchaser and provider units, all connected together electronically, and with its computers holding terabytes of confidential and medically critical information – simply cries out for a firmly centralised approach to hacking, malware and ransomware.
Indeed, the HSCIC has come to the rescue with CareCERT, a centralised organisation, to spot cybersecurity breaches and deal with them quickly and reliably. There’s just one problem – it has no power to force NHS organisations to enact its recommendations.
Connecting up problems
Cyber crime is an ever-present threat and the dangers increase exponentially with the number of computers that are connected together.
For example, ransomware on your personal laptop will encrypt your files, and then present you with a ransom note. All the data on your computer has been electronically locked up, and if you don’t pay, the key will be thrown away.
This is bad enough – but if an affected computer is part of a network with mapped drives, the potential for damage and further propagation is far greater.
A number of practices and a handful of clinical commissioning groups have apparently fallen victim to ransomware already, so we aren’t talking “theoretically” here.
The way to protect against malware, conmen and hackers is for everyone in the NHS to take cybersecurity seriously. (Yes, this means you.)
Vet those who have access to your computer(s); have a robust set of protocols for creating and refreshing IDs and passwords and implement them; and use reliable, up-to-date antivirus software.
Then, very importantly, teach all NHS users the basic principles of cyber security —chief of which are: “Stay alert”; “Think before you click on a link” and “Cyber crime is often about tricking people rather than computers”.
Even then, you’ll need luck.
Patch and keep on patching
A core part of this defensive scheme is to ensure that, as far as possible, everyone is using up-to-date software, complete with all appropriate patches and upgrades.
If a version of software such as Windows stops being supported, but upgrades are issued for later versions, then hackers will look at the upgrades, reverse engineer them to deduce the security gaps they were intended to seal, and mount a cyberattack on anyone foolish enough to continue using the old, now unsupported (and therefore extremely susceptible) versions of the software.
In real life, keeping all software truly up to date can be difficult: in big organisations such as hospitals patches often can’t be applied automatically for fear of crashing other suppliers’ software. They need careful testing beforehand.
Sometimes, upgrading is difficult because existing software may not be compatible with the newer browsers, or with the version of Java that is being run.
Often, however, the lack of updates is just about money: there isn’t any. Nevertheless, if the Secretary of State for Health wants the NHS to work entirely from electronic records, then he will have to pay for it.
After all, the rest of the world manages to stay up to date – largely by being prepared to spend more, and not sweating existing assets beyond their sell-by date.
By comparison, CCG-land is subtly different. In general, there’s a much simpler IT environment than in a hospital: an absolute maximum of four primary care systems; perhaps some third party software; Microsoft Office; and software covering out-of-hours, SUS analysis, the e-Referral Service, NHSmail, and the systems used internally within the CCG.
It should be much simpler for HSCIC to consider mandating a ‘rip and replace’ approach here; providing that adequate resources are freely available to CCGs, and ring-fenced.
How to burgle a house
Everyone knows to protect against burglars. Many front doors now bear a passing resemblance to Fort Knox – a Yale deadlock, a door chain, sliding bolts top and bottom and maybe even a second five-lever lock. That’ll stop ’em!
Yet how many of these same houses have a back door with a window made of non-toughened glass, a titchy three-lever lock and a tiny, surface-mounted sliding bolt that wouldn’t stop a charging snail? That’s where the burglar will actually get in.
In essence, that is exactly what is happening with the NHS’s computing, especially at the peripheries.
And it’s going to get worse, because in the near future we’ll be expected to join up our IT with that of councils, in order to record and share social care information. (These same councils are often just as strapped for cash as the NHS, and like us, aren’t able to upgrade their workstations.)
As a result, we have the worst of all worlds: an expensive core system which undoubtedly has high standards and a Rolls-Royce approach to security, together with a large, hugely disparate group of users of varying IT abilities, many of whom know precious little about cyber protection and continue to use antique kit such as Windows XP and IE7 because “it still works”.
Well, it may well not work for long. Yes, it can cost a bomb to continually upgrade the hardware and the software – but it’s likely to cost six or seven times that sum if a cyber criminal trashes the NHS’s databases, or inserts ransomware – to say nothing of the danger to patients if data about them is lost or, worse, corrupted.
Keep it simple
As is so often the case, the best can be the enemy of the good. Forget massive central solutions. Forget elegant projects, certificates of excellence in cybersecurity, national qualifications and the like – that’s the Fort Knox front door.
Instead, concentrate on the back door: low-level, simple principles, such as: a mandatory minimum specification of basic hardware and software for all computers used in the NHS (and a decent amount of funding to back it up); compulsory education in basic computer security for all NHS users; and a centrally maintained – and above all, easily findable – list of the requirements and compatibilities (and incompatibilities) of all commonly-used NHS software.
Otherwise a disaster is waiting to happen.
Dr John Lockley
Dr John Lockley is clinical lead for informatics at Bedfordshire Clinical Commissioning Group and a part-time GP.