As the deadline for this second column approached, I wrestled with what to discuss. There is so much potential content on the subject of information security, where do you begin?
As I fought this ‘second album syndrome’, we were undertaking our personal development reviews or PDRs within the Health and Social Care Information Centre.
You know the drill – you reflect on the year, identify what you’ve achieved, have some honest feedback, set some objectives for the coming year, and then plan some training and development to become a better corporate citizen.
Every year is different – some colleagues completely understand their performance and development needs, others need their PDR to understand where they’re at; while the rest of us sit somewhere in the middle.
The role of the manager is to enable people (of whichever type) to succeed and improve, to understand their baseline and to build on it. The individual, however, is responsible for acting on the feedback. That’s the idea, of course, but good leaders really should enable their team to develop and succeed.
Personal development reviews; let’s think bigger
All of this got me thinking about our approach to cyber security. If good leaders enable success, what is the role of central NHS bodies in enabling health and care organisations to enhance their cyber security skillset?
Before we tackle that question, I just want to return back to PDRs for a moment – no, not mine or yours (unless you want to share?) but general points on performance and development.
I actually enjoy being reviewed as I get independent assurance that I’m doing the right things, areas of improvement are identified, and an agreed action plan is put in place.
So why don’t we apply similar thinking to organisations and to issues such as cyber security? Why shouldn’t organisations have an independent assessment of, say, their security preparedness?
Similarly, if corrective action is needed, for example in the event of a data breach, how do organisations make sure they have taken the right corrective action?
I have been extremely lucky over the past 12 months to be able to go to national and local events, visit NHS trusts, and meet colleagues from social care, to discuss cyber security and how we can enhance our approach as a system.
The one thing that is clear to me is that there is no ‘one size fits all’ model. However, there is a standout message, and that is that enhanced support and guidance would be well received.
As such, we have developed a cyber security approach that is about enablement. We want to empower organisations to be accountable for cyber security locally, but to support and enable them to improve and enhance what they do.
OK, that’s a nice policy soundbite (if a slightly wordy one) but essentially it is about offering services that improve security without mandating or removing local ownership and decision making.
This started with CareCERT Broadcast, and will soon be followed by CareCERT Assure and CareCERT React.
Introducing what nobody is calling the Cyber Security PDR
I’m sure that if you are reading this you understand what CareCERT Broadcast is, but for the sake of good journalism (because there might just be new readers out there) I will briefly explain it.
This service gathers and understands known threats and notifications of incidents, then broadcasts them appropriately across health and care to support proactive mitigations. Organisations can then choose whether to act on the guidance and the mitigation advice.
The idea is that local organisations are enabled to pro-actively fix vulnerabilities before they turn into incidents – increasing cyber preparedness across the system.
There are some really good case studies on the positive impact of CareCERT Broadcast on malware infection rates at individual organisations; but to reiterate, it is a local choice as to if, when, or how these bulletins are acted upon.
CareCERT Broadcast has been live for many months now and we’ve received some interesting feedback on what other cyber security services health and care would like us to provide.
One of these is an organisational Cyber PDR (ok, so nobody actually used that term, but it fits the narrative of the piece, OK?).
Would your organisation take a free cyber assessment? I know the truth hurts sometimes, but isn’t it better to have a baseline to improve from? To understand weaknesses, to support targeted investment, to improve what we do and strengthen our cyber defences? We do this for people, so why not for organisations?
Welcome what is called CareCERT Assure
Welcome CareCERT Assure. At this stage, I can’t go into the specifics but essentially this will be an opportunity for health and care organisations to take a free assessment of their cyber strengths and weaknesses.
We’re not a regulator and the detail of the assessment is yours to act upon, but we want to learn lessons on behalf of the sector, benchmark what good looks like, and then can spread the word.
At the same time, we also want to help individual organisations to pin-point areas to improve on and invest in, maximising the limited investment that’s available locally to spend on cyber security.
It’s all about situational awareness and understanding what value for money steps can be taken to improve local cyber security preparedness. As we do more and more of these, we can help improve the system preparedness to cyber-attack. This cannot be a bad thing? (Can it?)
Wing over your thoughts
We’d like to know what you think. We believe giving organisations a greater understanding of their cyber strengths and weaknesses, enabling targeted investments that add the most value pound for pound will enable better security.
However, we are here to enable, not dictate through the old ‘top down’ delivery. We’ve had some great ideas from organisations across the health and care system and we’d happily take more.
So I throw it open to you. Is it right to take this approach, to enable better cyber preparedness though giving greater situational awareness, to strengthen defences to prevent an incident?
To let us know, add a comment to this article, use semaphore, email, drop us a telegram, send a pigeon or call myself and my team. We genuinely want to hear your view.
The best way to build a better and more prepared system is to listen and take feedback, so please take the opportunity and share your expertise and knowledge with us.
We look forward to hearing your views whatever they are. However for now, I had better get back to finalising my PDR or there might not be anyone at the end of the phone if you do give me a bell…