In September, NHS Digital launched an a campaign to raise staff awareness around basic cyber security. Following on from this, the organisation’s deputy chief executive and senior information risk owner, Rob Shaw, talks about the importance of good cyber hygiene to help fight data breaches and security risks in the NHS.

Handwashing is something so routine to clinical staff that it is carried out as a matter of habit and viewed as an essential part of keeping people safe. We all need to routinely display the same levels of care towards cyber security, to keep our patients – and ourselves – safe.

This is the simple message we are communicating to NHS staff via our recently launched Keep IT Confidential cyber workforce campaign.

The campaign seeks to embed habits that will become an everyday part of people’s behaviour. This means raising the level of attention people pay to the security of information in their workplace to protect patient data, health care records and details of IT systems.

Constant vigilance

We have done a great deal to combat cyber security attacks. Dan Pearce, NHS Digital’s interim chief information security officer, described in a recent blog post how we have embarked on one of the most ambitious cyber security programmes seen in any health and care system across the world.

But we know that we must remain ever vigilant to maintain the safety, privacy and trust of patients. This becomes increasingly important as we continue to harness the use of data and technology to improve our health service.

Cyber criminals look for small cracks to batter down the walls erected to keep us secure and those small cracks can be found through busy individuals who in a moment’s haste can leave their screen unlocked when they leave their desks for a short period, or who allow someone to follow them into a building when they have no idea who they are.

Driving cultural change

Our campaign is seeking to drive cultural change by increasing the perceived importance and level of attention paid to data and cyber security by all staff in the NHS. People can make a real difference to keeping our tech systems and patient data safe.

Simple steps need to become routine practice. For some, it will be a reminder of what they know they should do, but sometimes they ‘miss a beat.’ For others, it may mean a step change in their behaviour.

These changes in behaviour include:

  • Not opening emails that look unusual and unfamiliar. These are phishing emails. They are unsolicited emails that contain attachments or links to try and trick people into providing access to information such as patient data, health care records or details of IT systems.
  • Preventing tailgaiting – allowing unauthorised people to gain entry to a building by following a staff member through security facilities such as doors, gates and other barriers.
  • Ensuring screens are locked when you leave your desk. Leave a screen open for anyone to read means an open invitation to people wanting to steal patient data.
  • Ensuring your passwords are strong, complex and varied. Passwords are the best form of defence that we have to prevent unauthorised access, so make sure you keep them private and out of sight of others.

Campaign for change

We wanted to emphasise that adopting these safer practices are good for us all – whether we work within the NHS or are patients. It was important to ensure that our campaign materials were clear and easy to understand by all staff groups including those who have little knowledge of IT or have different accessibility needs.

We worked closely with several organisations to ensure the campaign was robustly tested and would resonate with NHS staff including early adopter trusts, Dame Fiona Caldicott, the Strategic Information Governance Network (SIGNs) and the National Cyber Security Centre.

This awareness campaign is one part of a wider strategy that sees NHS Digital working with NHS organisations of all sizes to strengthen their resilience. In the same way that this campaign is a small part of a bigger picture, small changes in behaviour can make a big difference to cyber security at both a regional and national level.