NHS England’s head of architecture said there must be a unified front on cybersecurity from NHS board members for there to be any meaningful change following WannaCry.
Speaking in Birmingham on Thursday at Digital Health’s Public Cyber Security Conference, Inderjit Singh said moving cybersecurity to the top of board-level agendas should be the focus of the NHS’s efforts in building technical resilience.
He warned that failure to do so would guarantee a repeat of the events that crippled NHS services in May.
Key to this is moving the cyber conversation from being an IT issue to one concerning leadership, said Singh.
“WannaCry brought home the fact that this is a business continuity issue, not a technology issue. It has front-line implications for services, and front-line implications around disruption to services. In terms of board level engagement and conversations around cyber, we need to drop the term cybersecurity and more talk about business continuity.”
While he said there had been “good discussions around technologies and approaches”, Singh said there had been “hardly any focus” yet on cybersecurity at board-level.
He referred the National Audit Office’s (NAO) investigation into WannaCry and a report by the National Data Guardian in September, which highlighted the need for the NHS to create cyber-leadership roles across the organisation and establish better communications between departments.
“This is an area that has significant immaturity at all levels: regional, national and local. We need to take a system-wide approach around this,” Singh said.
“We want to create a network of leads who can talk about best practice and when issues are arising, and share that knowledge and understanding. At the moment, it feels there are people taking on those responsibilities because there aren’t other people to do that…For the board, this is where the biggest gap and effort is required.”
The NAO report said the extent of WannaCry’s impact on the NHS was in part down to its reliance on outdated software, with many organisations running Windows platforms no longer supported by Microsoft.
The investigation concluded that the infection could have been stemmed had NHS organisations followed basic IT security principles. “It was clear we could have prevented it,” said Singh.
“It was a known vector, it was a vector that wasn’t particularly complex, and one that could have been addressed several months previous. This wasn’t about new and sophisticated technology, it was about how we didn’t put the basics in place to mitigate these.”
However, Singh acknowledged there had been “significant under-investment” in the NHS in terms of basic IT. “We are far away from industry standards such as Cyber Essentials Plus,” he added.
Rather than throwing money into new products, Singh said the focus instead should be directed toward “doing the basics right.” However, he reiterated that this was not an issue which sat solely within IT departments. “This was never an IT risk,” he said.
“If we don’t get this understood, we’re going to carry on playing with consoles and pretending it’s a technology issue.”
Singh outlined the need for health and social organisations to demonstrate an adherence to basic data security standards, and suggested there be “clear asks and requirements” of NHS boards.
“Do you know this is what the NAO already expects you to do? Do you have a clear framework? Do you understand cyber mitigation? Do you have the skills and training to do that?”
“What this means is, as a board, you need to care. The board-level conversation can’t be ‘this sits with IT’. If the only answer is to sort out IT, it clearly hasn’t been established as a business continuity risk.”