The interim chief executive of NHS Digital has given his 10 point list on how organisations can help prevent cyber-attacks.
Speaking at the King’s Fund Digital Health and Care Congress on 11 July, Rob Shaw described the May’s WannaCry attacks as the “hardest dress rehearsal of what could happen if things really went wrong” in a cyber-attack.
The WannaCry hackers exploited a known single Microsoft vulnerability which severely affected the NHS, with 20% of trusts affected. Ambulances were diverted, staff reverted to pen and paper processes and operations were cancelled.
Shaw said that the global attack has earnt the attackers $80,000, and that 300,000 machines were infected worldwide in 150 countries.
He again defended NHS Digital’s role in responding to the attack, particularly through CareCERT, and added that 21 suppliers stepped up with “genuine offers of help”.
“I think the NHS did remarkedly well”, said Shaw, “I think we responded well but we could do better”.
Shaw said that security needs to be treated “in the same way we treat safety, so if there’s a near miss we report it and we encourage people to report it”.
This escalation was echoed in the Government’s response to the Caldicott report, published 12 July, which wants cyber-security to be represented at board level, critical incidents reported sharply and a £21 million fund given for cyber prevention at major trauma trusts.
He confirmed that no patient data was affected in the WannaCry attack.
Rob Shaw’s top 10 things to check BEFORE the next cyber-attack:
- When did you last rehearse your incident plan?
Shaw described the first time NHS Digital did its incident plan, it was “an absolute car crash” but that he had the luxury of planning ahead.
- Are your people doing what they need to do to maintain cyber resilience (patches, responding to alerts)?
The idea of “patch Tuesday” was referenced by Shaw for organisations.
- Do you have a paper copy of your incident plan both on and off site and comprehensive contact lists for your incident team?
One trust apparently had put everything on the system as it was trying to go paperless, said Shaw, so have a copy in your brief case just in case.
- Does everyone in your incident team have the same?
- Is each member of the incident team clear about their role? Is there a tiered incident management structure?
When you get into a crisis people tend to act like headless chickens or go missing, said Shaw, so be clear on who has responsibility for what.
- Do you have escalation points for incidents of different severity? If in doubt, operate at the great severity level.
Have you got a gold, silver and bronze command, asked Shaw.
- Do you know the contact details of key incident management partners?
The trust needs to know the supplier’s named contacts to call in case of an emergency.
- Depending on the severity, agree the frequency of face-to-face meetings.
You need to allow the people who are doing the work to do the work, said Shaw.
- How will you communicate with your staff, the media and other agencies?
Shaw says the “media can help” by alerting patients to who and who hasn’t been affected in a cyber-attack.
- Patching and cyber hygiene is a vital first line defence, but there’s no room for complacency.