There were no surprises as WannaCry dominated cyber security talks at EHI Live this week, with NHS Digital and NHS England both raising their hands in admitting that more needs to be done in establishing a better communication process to prevent and respond to cyber-attacks.
During his cyber security session talk at the Birmingham event, NHS England’s head of architecture Inderjit Singh said the organisation is working with NHS Digital and NHS Improvement on improving some of the network monitoring and national services, to help organisations understand where there are threats and vulnerabilities.
He said there has been discussions around having local ‘cyber leads’ and creating ‘cyber champions’ across the service as “go-to” people for when an attack occurs.
“We are now moving to a place where we require every organisation to sign up to CareCERT alerts too, so they proactively respond to say “yes, I received the alert” and action it.”
He said it is to understand the type of threats that are out there and how to best communicate it back down locally.
“We need to ensure that organisations, boards and their staff are taking the cyber threat seriously, understand the direct risks to frontline services and work pro-actively to maximise their resilience and minimise impacts on patient care.”
Singh emphasised that the key lesson about WannaCry is moving the discussion from it being a technical issue to one of business continuity – – agreeing with NHS Digital’s deputy chief executive Rob Shaw that it is about a collaborative approach to address issues such as communication.
“This was a known vulnerability; it was something that we could have acted upon, so there really is a strong call out about how we can collectively work together to be on the front foot around cyber threats and improving cyber resilience”, Singh said. “It’s not a matter of if, but when it occurs.”
With NHS Digital not issuing its first initial communication on the subject until about four hours after receiving reports about the attack, Shaw, said: “That’s way too long.”
“We know we need to get better communications, not just us, but as a system – NHS England, NHS Improvement and the Department.”
“We need to be able to provide you with those tools to make informed decisions.”
For Singh, he said communication is one of the most fundamental bits of cyber security.
“Communication was a clear feedback – how do we at a local, national and regional level come together with effective communication channels.”
He said discussions need to be a board level agenda item.
“In order for us to really stand out in the cyber agenda at board level, this has got to be a collective set of conversations – there is a role for every organisation. As NHS England, there is a clear role around establishing that board level leadership and recognition.”
Singh spoke about enforcing the National Data Guardian’s 10 data security standards and how the Care Quality Commission and NHS Improvement will ensure every organisation implements it. “It is important we collectively have those conversations around the data guardian standards.”
The other key activities NHS England will enforce include establishing a clear contractual and regulatory framework, building local performance and boosting capability and improving threat surveillance and incident responses.
“This is something that is here to stay – this is about readiness”, Singh said.