Let there be no doubt that the 2017 WannaCry ransomware attack was a catalyst for the NHS to do better – better with cybersecurity strategy, and better with getting the ‘taking cyber seriously’ message across to everyone from staff at all levels to the general public itself.
But the contention it needs to do better may seem a little harsh, given that when writing Digital Health’s recent cybersecurity special report, I made it very clear that the official post-WannaCry NHS review by NHS England chief information officer Will Smart found only one percent of NHS activity was directly impacted by the ransomware attack, and that the NHS not directly targeted.
No doubt the brand has been damaged
That word ‘impact’ is key though – with 80 of 236 hospital trusts actually affected, not to mention 595 of 7,545 GP practices. Ask pretty much any member of the public about how badly the NHS was hit by WannaCry collateral damage, and the answer is likely to be “very badly indeed”.
In fact one vendor did just that, and has published the results in the form of a public and private sector online services audit that makes for very disturbing reading. That 83% of British adults were ‘uneasy’ about sharing information with public sector organisation servers or websites is bad enough, but when you start to drill down the data it gets worse.
Some 34% of these people started harbouring concerns as a direct result of the WannaCry attack. And the NHS was flagged as the organisation in which the public has least faith – the security of data held within NHS systems raised the biggest concerns for 87% of those questioned.
In any other sector, if all but 13% of your customers were concerned about your data security capabilities then, frankly, you’d be out of business. That NHS users have little choice in the matter is cold comfort. Those numbers just confirm that brand damage has been done to the health service by WannaCry.
(Not) patching you through
Said brand damage has been heightened by reporting in both mainstream and specialist media such as Digital Health of a parliamentary hearing held by the Public Accounts Committee last month.
During the hearing, the deputy chief executive of NHS Digital, Rob Shaw, admitted 200 trusts had failed the Cyber Essentials Plus certification when assessed by the Care Quality Commission. One of the reasons for the failure being – are you ready? – that adequate patching had not been implemented.
Face, meet palm.
The two are about to meet again, as Shaw stated in mitigation that “the amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against is quite a high bar. Some of the trusts have to do quite a considerable amount of work, but a number of them are already on the journey that will take them towards meeting that requirement”.
A very slow journey
Say what? Cybersecurity isn’t easy; nobody is saying that it is. The bar should be set high, in fact as high as it goes. After all, this is ultimately patient data at risk – and potentially patient lives. The journey of which Shaw spoke is one that should not only have started, but be at the stage of sharing the photos on Facebook by now.
So let’s be totally honest here and admit that, when it comes to the NHS’s data security reputation, things are starting from a pretty low base. By which I mean that when you are already close to the bottom of the public perception ladder, climbing up a few reputational rungs shouldn’t be that difficult. The measures put forward in the national NHS review, and as outlined in the Digital Health special report, will go a long way to climbing up a good few rungs. Assuming, that is, no security incident snakes crop up while the strategies are being implemented such that said reputation slides back down again.
What’s the score?
That all NHS foundation trusts in England are now signed up to CareCERT is a step in the right direction, but maybe there needs to be a much better publicity offensive alongside it. I don’t eat in restaurants whose Food Standards Agency Scores on the Doors hygiene rating is less than three stars, and if there’s a choice then a five-star diner wins every time. Where is the equivalent for NHS data security? Where are the ‘cybersecure’ certifications that at least allow the public, and NHS staff, to gauge how far along this security ‘journey’ a given hospital, GP practice or clinic has progressed?
Words are of course, pretty easy to come up with (he says thankfully). Words will not be enough, and of this I am certain, when it comes to rebuilding the shattered reputation of the NHS as far as security perceptions are concerned. Actions are needed, and actions will be everything. Especially as GDPR is now literally just around the corner, with that enforcement date of May 25th drawing ever-nearer.
Actions are what still appear to be somewhat lacking, despite the £25 million worth of funding identified by NHS England CIO Will Smart to help improve cybersecurity this year. A figure that could, feasibly, appear very small beans indeed if multiple NHS trusts find themselves on the wrong end of GDPR non-compliance fines. And non-compliance is far more likely than you might think if some reports are correct. If you think public trust in the ability of the NHS to secure confidential data is low now, it will be lost altogether in such a scenario…