On 12 May 2017, the global WannaCry ransomware attack targeted the NHS, leading to a number of disruption issues across local healthcare organisations.
As a result:
- More than 19,000 hospital appointments were cancelled.
- 80 of 236 trusts in England suffered disruption.
- 603 NHS organisations, including 595 GP practices, were infected.
The Government revealed last week (11 October) that the attack cost the NHS £92m, of which £19m was ‘lost output’, such as cancelled appointments, and £73m was IT costs.
To prevent or mitigate future cyber attacks, the Department of Health and Social Care (DHSC) has issued a series of recommendations, including:
- Developing action plans
As recommended by the National Cyber Security Centre (NCSC), all trusts and foundation trusts have to draw up plans to comply with the cyber essentials plus standard by June 2021.
Cyber essentials are certificates provided by the NCSC to ensure an organisation has the right IT measures in place to deal with cyber attacks.
All NHS organisations are required to carry out on-site assessments by December 2018 and to come up with a plan to improve cyber security, based on the findings.
- Self-assessing through online tool
Health and social care organisations operating under the NHS contract need to complete an online assessment tool – the data security and protection toolkit – and share their performance against the test results with NHS Digital by 31 March 2019.
In addition, the organisations should include plans detailing how they will tackle any failure to comply, as well as their plans for compliance with GDPR.
- Appointing a data security lead
All organisations should appoint an executive director acting as a data security lead. For CCGs, this position should be fulfilled by a board member or an equivalent senior manager.
Boards need to regularly assess the cyber security risks within their organisation, introduce appropriate measures to reduce damages, and ensure adequate solutions are available for the services to recover from any successful attack.
- Managing third-party contracts
Third party contracts for local IT systems should be managed and monitored through processes, contracts and controls set up by the organisation.
It is important that both commissioners and providers understand their business continuity – defined by NHS Digital as the uninterrupted delivery of products or services at agreed levels following a disruptive incident – and how software is updated.
- Having business continuity plans
Healthcare organisations should outline the details of how they respond to a cyber attack in their business continuity and disaster recovery plans. These plans must include a clear assessment of any service loss, whether the service is provided by a third party or the organisation itself.
The DHSC recommends that these plans are frequently tested, reviewed and updated under the supervision of the board.
- Collaborating with community groups
NHS service providers are advised to collaborate with existing local warning advice and reporting points. These are community-based groups that provide up-to-date advice on security threats, including offering potential solutions.
- Adding pooled resources in STP plans
Pooled resourcing arrangements related to cyber attacks should be part of STP plans. This is in addition to the resources local boards already dedicate to their IT infrastructure, systems and services.
The DHSC also encourages local NHS organisations to come together to develop business continuity strategies, as part of their STP plans.
- Undertaking annual training
In order to raise cyber security awareness among staff and help them understand the risks, NHS organisation boards are expected to undertake annual training. The requirements for the training will be provided this year by NHS Digital chief information officer Robert Coles.
Although it is not ‘formally recommended’, the DHSC said, organisations should consider whether staff who fail to complete training can still access IT systems.
Coupled with the mandatory training, organisations have to ensure that staff receive regular training, based on their roles. Such training could include in-house phishing attacks to evaluate their awareness of the risk of opening spam emails.