Improving Cyber Security in the NHS - Imperial College London
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Improving Cyber Security in the NHS Saira Ghafur Gianluca Fontana Guy Martin Emilia Grass Jonathan Goodman Ara Darzi
Contents Page
1. Executive summary 4
2. Introduction 6
3. What does cyber security entail? 7
4. What makes the health sector particularly vulnerable? 10
5. NHS cyber security accountabilities 12
6. Emerging challenges 18
7. Key practice priorities 26
8. Research priorities 30
9. Summary 32
10. References 33
2 1
Foreword Advisory Board
The last few years have seen a surge of new digital Imperial College London has established a new
technologies being used in healthcare, and as a interdisciplinary collaboration for cyber security in
consequence, ever-larger quantities of data are being healthcare between the Institute of Global Health
generated. With this digital evolution comes a wealth Innovation (IGHI) and the Institute of Security Science
of opportunities to improve the health and care of and Technology (ISST). This collaboration will serve as
patients, and to prevent, cure and manage illness. Over a leading hub for translational research in cyber security
the past century, health system leaders have progressed for healthcare, both in the UK and globally and will aim
toward these goals, aided by significant advances in to provide a powerful engine to support the incubation
science and technology: new vaccines, medicines and and transformation of research through academic Professor Chris Hankin, Co-Director of the Professor Nick Jennings CB FREng, Vice-Provost
surgical techniques; technologies, such as excellence, aligned objectives, funding and resources. Institute for Security Science and Technology, (Research and Enterprise), Imperial College London
telehealthcare, which can dramatically improve access, Imperial College London Professor Nick Jennings, CB FREng, is responsible for
and analytics to better measure the costs and variations This report identifies some key insights for the UK health Professor Hankin’s research is in theoretical computer promoting, supporting and facilitating Imperial College
of care provision. These factors contribute to and care sector to consider for future cyber security science, cyber security and data analytics. He leads London’s research performance and for leading on
improvements in life expectancy across the globe. practices, policies and protocols; this includes multidisciplinary projects focused on developing the delivery of the Research and Enterprise Strategy.
increased investment, improved governance and advanced visual analytics and providing better decision He also holds a chair in Artificial Intelligence in the
However, there are also enormous risks. The NHS holds greater accountability, which are essential to protect support to defend against cyber attacks for both Departments of Computing and Electrical and Electronic
large amounts of sensitive and valuable data in the NHS from future attacks. enterprise systems and industrial control systems. He Engineering. Before joining Imperial College London,
vulnerable systems. Effective cyber security is not just is Director of the UK’s Research Institute on Trustworthy Professor Jennings was Regius Professor of Computer
about protecting data, it is fundamental for maintaining I would like to take the opportunity to thank all those Inter-connected Cyber-physical Systems (RITICS). He Science at the University of Southampton and the UK
the safety, privacy and trust of patients. The global who have contributed to the production of this report, is Chair of the UK’s Academic Resilience and Security Government’s Chief Scientific Advisor for National
cyber attack, WannaCry, in 2017 compromised IT across with a special thanks to our advisory board who have Community (Academic RiSC) and sits on the ministerial Security. Professor Jennings is an internationally-
the NHS, starkly demonstrating the vulnerability of in-depth knowledge across academia, industry, oversight group of the Security and Resilience Growth recognised authority in the areas of artificial intelligence,
the NHS. There is no quicker way of undermining the healthcare and government. Partnership. He is Chair of the Association for autonomous systems, cyber security and agent-based
public’s trust than by allowing essential systems to Computing Machinery (ACM) Europe Council. He computing.
be compromised or personal data to be lost. is also a member of the ACM Publications Board.
Rachel Dunscombe, CEO of the NHS Digital Cal Leeming, Founder & CEO, River Oakfield
Academy and a strategic advisor for Salford Royal Cal Leeming is a cyber security expert and co-founder
NHS Foundation Trust of several startups, including The Zebra and PixelMags,
Rachel additionally works with KLAS Research building and recently appointed to the Healthcare Cyber security
a rigorous evidence base for success factors in the Advisory Board for Imperial College London. The story
implementation of digital health and care solutions. behind Cal’s journey is remarkable. After a nefarious start
As part of her role at Salford Group she has delivered the where his natural curiosity and obsession to understand
Global Digital Exemplar and two NHS Vanguards. She is how things work led him astray, he was caught hacking at
also an Ambassador for the ECHAlliance / Digital Health the age of 12, making him the youngest child ever to be
Society and an ambassador for CHIME, the professional prosecuted under the Computer Misuse Act in the UK.
body for global healthcare CIOs. She currently holds Now in his early 30s, Cal’s ingenuity and ambition have
a Visiting Professorship at Imperial College London and earned him the reputation of a trusted industry icon.
is a certified CHCIO - a US healthcare CIO certification.
Professor the Lord Darzi of Denham OM KBE PC FRS
2 3
1
Executive summary
Ineffective cyber security is a clear and present danger Technology is expected to “transform” the NHS.
to patient safety in the UK and worldwide. As the recent Innovations like the increased use of artificial
WannaCry attack on the NHS showed, cyber incidents intelligence, cloud computing and connected devices
can significantly disrupt health and care systems and can support more effective care. However, as healthcare
directly contribute to patient harm. The NHS was found relies more on technology, the risk of cyber disruption
to be vulnerable and not adequately prepared to respond, will also significantly increase, unless appropriate
with limited capability and uncertain accountability for actions are taken. In addition, cyber attackers are
cyber security. In the future, the threat and becoming more sophisticated and focused on the
consequences will inevitably grow due to an increased health sector.
reliance on technology in healthcare, and evolution in
the motivation and sophistication of malign actors.
Key Insights
1. A culture of risk awareness and good cyber security 6. The mapping of interdepencies across the IT
needs to be embedded across the NHS and this needs landscape and the consequences of shared
to be effectively communicated to the public. infrastructure in the face of a cyber attack need to be
better understood. There is a need to effectively model
the impact of IT incidents across local, regional and
national systems.
2. The oversight and governance of cyber security and 7. A mandated framework for cyber security should be
risk needs to be streamlined and simplified. further developed, tested and implemented along with
operational resilience testing and assurance in the While WannaCry was a wide-ranging attack that In examining the opportunities, threats and challenges
healthcare sector. happened to impact health systems including the NHS, of emerging technologies in the context of cyber
in 2018 hackers specifically targeted the Singapore security, this report aims to identify some of the actions
healthcare group SingHealth and stole the information that can and should be taken at the policy and research
3. An approach to developing sustainable minimum 8. The infrastructure required for interconnected of 1.5 million patients. In addition, WannaCry blocked level now and in the near term in order to ensure they
cyber security standards is needed for the design, build networks needs to be better understood to ensure access to NHS systems, but was very visible. The threat are successfully exploited.
and procurement of medical devices. the healthcare system is secure at scale. to patients would have been even bigger if data had
been subtly manipulated, for example changing a Addressing the future threat effectively will require
patient’s blood type in the Electronic Health Record, appropriate actions to decrease vulnerability and
without being detected. This highlights that any cyber improve resilience in the event of an attack.
4. Research is needed into the development of future 9. Research into a better understanding of how and with attack in healthcare is a threat to patient safety.
data architectures that allow permeable boundaries what speed attacks propagate is needed order to design It is critical to understand and manage the underlying
of access and control to meet the specific context of time-relevant responses. risk factors, by addressing unclear governance,
healthcare; the need to widen access whilst putting vulnerable security architectures and modifying
in place features to restrict the ability of cyber damage cultures and behaviours that lead to increased risk.
to propagate. It is also vital to take preventative action in order
to reduce the risk of an attack being successful.
5. The NHS Digital Data Security programme needs to 10. Cyber security attacks need to be viewed as a
be expanded and appropriately resourced to provide fundamental threat to patient safety and not just an
a single strategic cyber forum. IT issue.
4 5
2 3
Introduction What does cyber
security entail?
Emerging technology has the potential to transform Prior to this, there were already well-publicised and
healthcare. Artificial intelligence will make it possible to alarming examples of cyber attacks targeting healthcare
accurately diagnose complex conditions with economy organisations, such as the Anthem Insurance hack in
at scale and speed; networked devices will allow the 2015, which has cost over $100 million in settlements
remote monitoring and dosage of drugs; the and much more in costs to date after 79 million records
proliferation of wearable devices will allow patients to were breached, or the ransomware attack on the
augment their health records with “pattern of life” data; Hollywood Presbyterian Medical Centre in 2016 which
robotic surgery will replace the conventional variety for cost $17,000 in Bitcoin payment to bring to an end,
many procedures, and improved communications will having effectively shut down the hospital for many
drastically reduce the need for patients to travel long days.2,3 More recently, in 2018, SingHealth, the largest
distances for consultations. healthcare provider in Singapore, suffered a cyber
attack which resulted in the breach of 1.5 million
Given the well-reported pressure on health services, records.4
every effort should be made to harvest the benefits
that technology can bring, but in order to do this it Healthcare is one of the most frequently targeted
is essential that it be done not only safely, but also sectors by hackers, in part because security among
securely with the understanding that technology particular institutions is variable and because private
is not safe unless it is secure. health data can be valuable on the dark web.2,5 Given the
size of the population the NHS serves, major breaches
In recent years, the number and severity of cyber represent a significant threat.
attacks against healthcare systems and hospitals
has increased significantly, compromising the health Cyber attacks can also have a significant impact on
information of millions of people. In May 2017, the patient safety. As modern technology has become
WannaCry ransomware programme encrypted data indispensable in healthcare operations, the
and files on 230,000 computers in 150 countries and vulnerabilities to cyber threats are increasing
devastated the NHS.1 Key systems were blocked, exponentially. This can happen a number of ways:
preventing staff from accessing patient data and critical data can be stolen; data may be deleted or, even worse,
services; thousands of appointments and surgeries corrupted in a way that is not obvious until years later; The UK’s National Cyber Security Centre (NCSC) defines A moving target
were cancelled, necessitating, in some cases, care medical devices such as magnetic resonance imaging cyber security as how individuals and organisations
diversion to other hospitals. (MRI) scanners, computed tomography (CT) scanners, reduce the risk of cyber attack from malicious attempts As the types of attacks launched in cyberspace have
or implantable cardiac defibrillators can be hacked, to damage, disrupt or gain unauthorised access to become more sophisticated, the terminology has in
The WannaCry attack was not, however, targeted at causing direct harm to patients. Maintaining the security computer systems, networks or devices, via cyber turn become more complex in an effort to account for
the NHS, though it was allegedly state-sponsored. Other of healthcare is not only vital to ensure the safety of means.6 While this definition is largely comprehensive the changing nature of attacks and the varieties of
major organisations were affected, including: patients, but also to maintain their trust in those given how cyber security is practiced today, the world interfaces and networks that require protection. In
Telefonica, FedEx, Nissan, Russian Railways, and the securing their health. of information technology has and continues to evolve. healthcare, while data privacy and its associated
Bank of China. Yet the biggest impact was undoubtedly As technology changes and what counts as ‘cyber’ security risks are a crucial issue that governments and
felt by the NHS. As health systems worldwide watched Notwithstanding the ongoing strategies to tackle cyber becomes broader, defining cyber security, and the members of the public focus on, medical device security
on, it became apparent how vulnerable healthcare is to security within the NHS, the current healthcare growing number of terms that fall into cyber security is an under-appreciated issue that may become a
any cyber threat. landscape makes the attainment of a cyber secure studies, will become increasingly difficult. pressing concern in the coming years.7
future challenging. Healthcare networks are vulnerable
as cyber security has not been prioritised as part of The salient issue in cyber security is, however, always The increasing complexity of the subject does not,
corporate strategy and investment. Current governance protection from different modes of undesirable or however, preclude the categorisation and classification
of medical technology is orientated towards clinical unpermitted access, but as more systems and devices of important aspects. Indeed, any discussion of cyber
safety despite increased device connectivity. This become reliant on increasingly complex digital security ‘necessarily shifts to contexts and conditions
complex governance structure is further complicated by technologies the potential for exploitation will rise. that determine the process by which key actors
the plethora of legacy infrastructure and practice Our goal in this section is to discuss what qualifies as subjectively arrive at a shared understanding of how
throughout the healthcare sector. a cyber security incident, and to describe the varying to conceptualise and ultimately respond to a security
types of cyber security incidents currently seen across threat.’7 While offering a comprehensive definition for
industries and their effectiveness. each aspect of cyber security may be akin to hitting a
moving target given that technologies and incidents are
always changing and new threats emerging, the critical
notions of protection should remain constant.
6 7
Types of breaches These sources and causes of cyber incidents are
logically distinct, though there is often overlap among
Table 1: Common terms relevant to cyber security 9,10
Table 1 gives common types of cyber security breaches. them: with social engineering, for example, the
A group of primary distinctions should, however, be malicious intent of an individual or group may overlap Credential reuse Download attack something that will allow the
made among them, which is set out in Figure 1. While with the accidental contributions of a well-intentioned This type of attack relies as much on The unintentional installation of attacker to do something the user
breaches often have identical or similar consequences user. An individual may similarly exploit a cyber security a malicious hacker’s intentions and malicious software or virus onto a may not be aware of such as stealing
for the system affected, i.e. the loss of data, loss of system with the backing of a political group. abilities as it does on the frequency device without the user’s knowledge credentials or installing malware.
control or access to the system, and so forth, the causes with which users use identical or consent. May also be known
of those breaches vary significantly, both in source and Regardless of the type of attack or the intention of the passwords when logging on to as a drive-by download. Ransomware
intent. Distinguishing between causes, sources, and individual causing the data loss, cyber security different websites. If one website’s Malicious software that makes data
intentions of the actor directly causing the breach can measures involve protection of data and the prevention database containing user logon Exploit or systems unusable until the victim
help to predict and prevent future breaches, either of unauthorised access, whatever its cause. The credentials are leaked, hackers May refer to software or data that makes a payment.
through technological or behavioural interventions. purpose of cyber security protocols are therefore to attempt to use this information, takes advantage of a vulnerability
prevent and minimise the damage from all types of which usually appears on the dark in a system to cause unintended Session hijacking
This is not an exhaustive list, and other, more innovative breaches. Awareness about how breaches occur, and web, to access user data from other consequences. In this case, a malicious hacker takes
forms of malicious attack will undoubtedly become how malicious attacks are changing with the advent of websites. For example, if all control of communication between
more common over the coming years. The key new technologies, is necessary for doing so. credentials for a badly protected Human error a user and server, enabling him/her
distinctions among these terms — and probably among gaming forum are stolen, hackers From forgetting to log off a public to steal the data flowing between
all possible varieties of cyber breach — is in the source will use these usernames and machine to forgetting USB drives the two parties.
and/or cause. Figure 1 portrays these distinctions, which passwords to try to log on to banking on the bus, human error accounts
rest on whether a breach is intentional or accidental, websites with the same details. for an enormous amount of data loss Smishing
state-sponsored or amateur. per year. Fifty-three percent of all Phishing via SMS: mass text
Cross-site scripting cases of data loss may be due to messages sent to users asking
In this type of attack, a malicious mistakes or neglect on the part for sensitive information (e.g. bank
hacker targets a specific website’s of the healthcare organisation details) or encouraging them to visit
users by injecting a legitimate in question.8 a fake website.
website’s content with code that
can infect users’ browsers. Any Malware Social engineering
information the user communicates One of the most common sources of Manipulating people into carrying
through the website is then breach, malware is an amalgamation out specific actions, or divulging
funnelled directly to the hacker. of ‘malicious’ and ‘software.’ information, that are of use to an
Malware can be used to steal data, attacker.
Cyber attack monitor machine usage, or control
Malicious attempts to damage, devices, but almost always requires Spear-phishing
disrupt or gain unauthorised access that an authorised user, mistakenly A more targeted form of phishing,
Figure 1: Root causes of cyber incidents to computer systems, networks or otherwise, installs the where the email is designed to look
or devices, via cyber means. programme onto his or her machine. like it’s from a person the recipient
knows and/or trusts.
Individual Accidental Denial of service Pharming
An amateur hacker exploits a system The cyber incident is the result of While this type of attack does not An attack on network infrastructure SQL injection attack
without the backing of a government, negligence or mistake, without reference lead directly to loss of data, it can that results in a user being This type of attack specifically
hacking rganisaion, or political faction. to any malicious intent or larger agenda. disable users from accessing the redirected to an illegitimate website targets databases built using the
page; when financial institutions, despite the user having entered the SQL programming language. In this
for example, are targeted, this type correct address. case, a malicious hacker may breach
Cyber Incidents of attack has the potential to the database through the language
damage a country’s economy. Phishing the database is built with; this can
Malicious Group or state Phishing is a particular type of email lead the database to reveal
The incident in question results from an A group of agents exploit a system Dictionary attack scam, whereby victims are targeted information contained within it
intent to exploit the system for any for political or economic reasons. A type of brute force attack in which from seemingly genuine persons or to unauthorised users.
reason. the attacker uses known dictionary services, with the aim of tricking the
words, phrases or common recipient into either providing Sources: National Cyber Security Centre, UK, and
passwords as their guesses. personal details or clicking on NHS Digital; ‘human error’ is an original definition.
8 94
What makes the health sector
particularly vulnerable?
Data Guardian’s 10 data security standards, no detailed to support the delivery of care, whilst the use of
Summary Points specifications are provided. temporary staff increases the inherent challenges of
tracking and monitoring access and use of systems
● Investments to cyber ● Outdated and ● Inefficient incident ● Complex structures Therefore, it is not unusual that old software is used as and data.
security are unsupported IT response capabilities hinder fast and efficient long as it is regularly patched or not connected. In fact,
not given priority infrastructures and exist due to lack of responsiveness in the all 80 NHS organisations that were affected by Employee behaviour is a crucial aspect of healthcare
medical devices increase cyber security face of a cyber attack WannaCry had failed to apply the Microsoft update cyber security that is frequently overlooked. Easy access
● Untrained staff constitute NHS vulnerabilities specialists patch that had been recommended by NHS Digital.15 to the most personal aspects of a patient’s life means
(unintentional) internal that the potential for malicious activity is ever-present,
threats Although important steps are being taken to resolve particularly if data belongs to high-profile patients.
these issues, much work remains to be done. Without There are publicised examples of such behaviours
accurate asset inventories of what is on a network, of staff being disciplined and hospitals fined following
Healthcare is one of the most frequently targeted
sectors by hackers, in part because security among
The competing demands of organisations will face the challenge of not being able
to patch that which they don’t know exists. To date, no
inappropriately accessing and sometimes leaking
the medical records of celebrities.17-18
institutions is variable and because private health data investing in IT and direct patient care catalogue exists to systematically list all software and
can be valuable on the dark web.2,5 Given the size of the There has been chronic underinvestment in healthcare hardware deployed within the NHS. This leads to a Currently, it is mandatory for all NHS staff members
population the NHS serves, major breaches, such as IT, especially compared with other market sectors; NHS severe lack of visibility of NHS vulnerabilities. Hence, to complete online training on information governance
2017’s WannaCry attack, represent a significant threat. organisations spend only 1-2% of running costs on IT it is not easily possible to evaluate the NHS’s resilience (including cyber security), though recent evidence
services compared with 4-10% elsewhere.14 To embed a against cyber attacks. suggests that only 12% of trusts reached the NHS Digital
The scale and availability security culture, there needs to be progressive target of 95% compliance.15
requirements for sensitive data investment in IT and an economic impact assessment Skills and capability
to understand what is working. With limited budgets, Hiring trained cyber security staff is difficult for the Highly complicated governance
As other sectors aim to limit access to data, the nature health systems are faced with difficult choices in NHS, as it is unable to compete with commercial
of healthcare and its sheer scale dictates that patient allocating resources, and cyber security investment is salaries. In December 2018, about 1.5 years after structures
records need to be available to multiple staff members often not a priority when organisations struggle to meet WannaCry, a Redscan freedom of information (FOI) The NHS, like all other health systems, is a complex
and now to patients as well. The personal and financial minimum requirements for IT provision. This is often request showed that as much as 25% of NHS trusts behemoth of many organisations that provide
information included in medical records not only seen as a trade-off in all sectors, though the potential had no employees with cyber security qualifications.15 leadership and governance for services across the
contains some of the most sensitive aspects of a consequences for healthcare, both economic and in It also highlighted that among trusts with 3000 to board. The oversight for cyber security is led by the
person’s life, but may also be as valuable on the dark terms of patient safety, may be catastrophic. 4000 employees annual cyber security training DHSC and different accountabilities have been assigned
web as credit card data, making records attractive expenditure may be as little as £500. Financing to the Arm’s Length Bodies (ALBs; see Figure 2).
targets to malicious hackers.11,12 Recent cyber incidents While the UK government has invested heavily in cyber shortages also reputedly make it difficult for the NHS
in the healthcare industry showcase this: in 2015, 78 security measures, a year after WannaCry none of the to hire competent cyber security personnel given the One main problem is the lack of clarity and transparency
million records were stolen from the Anthem Blue Cross 200 NHS hospitals inspected by the Care Quality large pay gaps between public sector and private leading to partly overlapping competencies. Such
Insurance System in the United States, and over 1.5 Commission and NHS Digital met the criteria for Cyber sector wages for similar work.16 uncoordinated processes result in higher costs,
million records were stolen from the Singapore health Security Essentials Plus certification, a basic standard inefficiencies and waste of resources. Complicated
system, including that of the country’s prime minister in for security within the UK.1 While no organisation had Employee behaviour and culture interrelationships prevent the NHS from responding to
2018.2,4 passed an assessment commissioned by NHS Digital, Most sectors aim to reduce their cyber risk by locking- cyber attacks in as fast and agile way as possible. In the
the purpose was to create a baseline and gauge down systems and limiting access to records. In field of cyber security, efficient responsiveness is critical
Outside healthcare, records can be used for blackmail improvement. (See page 16) healthcare however, this is difficult as access is for ensuring smooth-running operations, fast recovery
or, as is becoming increasingly common, in the United required by multiple users to ensure safe delivery of from disruptions and mitigating negative impacts on
States, for identity theft: according to Forbes, about 1% The extended legacy IT estate care. In fact, there is a renewed drive to widen access patients.
of the US population filed some kind of credit card Besides the complexity of the NHS, the IT landscape across providers, share even more data and give
complaint in 2016, 13% of which concerned identity within the system is highly heterogeneous and patients and staff alike access to health records across Several key vulnerabilities, with particular emphasis on
theft.13 As much as 10% of the US population had inconsistent. For instance, different networks like the a range of devices and settings. patient safety, are endemic to the healthcare industry
medical records breached in the same year and these Health and Social Care Network (HSCN), local authority and require immediate intervention to enable a safe
records can be found on the dark web selling for a mere Public Services Network (PSN), or direct internet Healthcare is actively widening access and opening and secure future for healthcare. While the UK
$100 each.13 As health records often contain enough connections are in place, requiring differing security up systems whilst simultaneously collecting an government has, in the wake of WannaCry, begun to
information to steal a patient’s identity, their value can approaches. Although the Department of Health and ever-greater range and depth of data. Furthermore, the take steps to mitigate the risks these vulnerabilities
be a great deal more in the wrong hands. Social Care (DHSC), NHS England, and NHS increasing dependency on agency and temporary pose, more work is needed to determine the specific
Improvement have defined the Data Security and staffing within the health sector adds greater risks unique to the NHS, which will in turn lead to
Protection Requirements (DSPR) based on the National vulnerabilities and risk. Staff may be unfamiliar with improved cyber resilience.
systems and dependent upon the sharing of credentials
10 11Figure 2: National Accountabilities for Cyber Security of DHSC (black box) and ALBs (grey boxes)
Department Information
NHS NHS
of Health and Incident report Commissioners
Improvement England*
Social Care*
Briefing
Lead Single
oversight Digital regional NHS
framework teams Digital
National Data Government Notification and
Ministers
Guardian departments cooperation
Incident
report
Health and social
ICO
Oversight care providers
Incident Incident report
response Support Emergency plan
coordination Data
security
standards
Central Audit Adult social Primary Community Health
CSUs CCGs Trusts NCSC
government chairs care care care care
Interface management
Cabinet
office
Individual Private
Community Mental health Acute care Ambulance Foundation contractors sector
ALBs
health trusts trusts trusts trusts trusts
Other cyber security units Government
DHSC departments
ALBs and agencies Incident
Social health providers (general)
*Since the 1st of July, roles and responsibilities for cyber security information
at DHSC and NHS England have been incorporated under NHS X
Social health providers (specific units)
Figure reprinted with permission from the Lancet Digital Health (Ghafur et al. 2019).19
12 135
NHS cyber security accountabilities
Summary Points
● This section highlights ● NHS cyber security ● Newly introduced NHS ● It is hoped that through
the different national accountabilities are incident response the launch of NHS X will
and local bodies complex and processes aim at help streamline NHS
accountable for interrelated improving cyber cyber-security
healthcare cyber resilience, e.g. through accountabilities
security and their roles CareCERT
The Government Communications Headquarters NHS Digital plays a central role in threat detection,
(GCHQ) is an intelligence and security organisation response and recovery. As an example, the launch of the
responsible for providing signals intelligence and cyber security operations centre (CSOC), has seen an
information assurance to the government and armed increased threat intelligence capabilities; this has
forces of the United Kingdom. The NCSC, part of GCHQ, resulted in several nationwide potential cyber attacks
was established in October 2016 to be the UK’s national intercepted and prevented and has blocked 1.4 million
authority for cyber security advice and incident communication attempts with malware botnets.
management. It has a mandate to help bring coherence
and transparency to UK cyber security, in support of the Based on the Single Oversight Framework, NHS
government’s commitment to make the UK the safest Improvement monitors data security standards of NHS
place to live and work online. As part of GCHQ, it can trusts and provides support to achieve required security
draw on the unique capabilities of the UK’s intelligence levels. It ensures that health and social care providers
agencies to help us do this. take the recommended measures for improving cyber
resilience. Similarly, NHS England is accountable for
GCHQ and NCSC provide intelligence and support for ensuring that cyber security standards of, for example,
all critical sectors in the UK, however, DHSC and the the NHS Standard Contract are implemented and that After a cyber attack ALBs coordinate and provide Complexity of accountabilities
ALBs are responsible for operationalising services emergency plans exist in case of a cyber emergency. support in terms of response actions. In particular, Figure 2 highlights the significant complexity of NHS
across the NHS. Since the WannaCry attack, the NHS In addition, Commissioning Support Units (CSUs), audit NHS England acts upon its Emergency Preparedness, organisational structures due to the large number of
has taken several steps to increase its cyber resilience, chairs and Clinical Comissioning Groups (CCGs) are Resilience and Response (EPRR) framework, ALBs and sovereign organisations. One main problem
and accountabilities have been assigned to the DHSC supported by NHS England on how to increase cyber coordinating and managing all efforts to mitigate and is that some bodies have partly the same
and ALBs, as shown in Figure 2. This figure highlights the security. NHS Improvement and NHS England act as control the negative impacts. In the case of a major accountabilities and competencies, leading to multiple
significant complexity of NHS organisational structures information providers concerning cyber security to attack NHS England guides the response activities of the and not necesseraly uniformed response activites. As
due to the large number of ALBs and sovereign healthcare providers and commissioners, respectively. overall system. In collaboration with NHS Improvement shown in Figure 2, NCSC receives information about a
organisations. communication about the respective incident to all cyber attack directly from NHS Digital and additionally
In the case of a cyber incident different processes and health and social care organisations is established. NHS through DHSC, making the information transfer
The DHSC is accountable for the regulatory oversight measures take place. For instance, NHS Digital, the Digital, supported by NCSC, is a further adviser helping cumbersome and complex.
of Trusts and Foundation Trusts under the Network and Information Commissioner’s Office (ICO) and the NCSC the healthcare system in responding to cyber incidents
Information Systems (NIS) Regulations as well as for the have to be informed as soon as an attack is detected. on a national and local level. Different networks like the Health and Social Care
compliance of the data security standards applying to As indicated by Figure 2, NHS Digital pass the Network (HSCN), local authority networks or direct
all health and care providers. 12 It also takes on the role information onto the DHSC as the Competent Authority internet connections are in place, requiring different
as an interface manager between the Cabinet Office, for the health sector. The Department provides incident security approaches. Although the DHSC, NHS England
health and social care providers and other government information to NCSC and is responsible to brief the and NHS Improvement have defined the Data Security
departments and agencies. Ministers and the National Data Guardian at the same and Protection Requirements (DSPR) based on the
time. In turn, NCSC provides intelligence information National Data Guardian’s 10 data security standards, no
and the National Data Guardian advises how to share detailed specifications are provided. As commissioners
and secure data. of GP IT services, CCGs must ensure commissioned GP
IT providers are contractually required to comply with
these requirements.
14 15Figure 3: Securing Cyber Resilience
software within 48 hours. New initiatives like the NHS
Digital Security Operations Centre are intended to
DHSC plans for cyber resilience
NHS CSUs increase NHS Digital’s monitoring and cyber security In October 2018, the DHSC published a report outlining
Trusts
capabilities. its plans to improve cyber resilience within the NHS.22
CareCERT Collect The report, part of the Data and Cyber Security
The development of CareCERT into the Cyber Security Programme being developed by the DHSC along with
Operations Centre (CSOC) will support NHS Digital in the aforementioned ALBs, details current and planned
cyber security Expand CareCERT
inspections services offering enhanced services across the sector. The spending on cyber security in the NHS, the estimated
NHS NHS Digital Security deployment of over 900,000 instances of Advanced costs of WannaCry overall, and plans for decreasing
Digital Operations Centre Threat Protection (ATP) has improved both the the risks associated with cyber security in the short
protection of end point devices, and the capability the and long term.
CSOC has to hunt and identify threats across the sector.
In addition to outlining spending and software plans,
This is complemented by centrally funded interventions the DHSC provides 22 recommendations for the NHS,
at a local level designed to increase cyber resilience and and its constituent trusts and practices, to mitigate
improve security postures, as well as providing services, technological vulnerabilities throughout the country. In
CQC NHS NHS NHSX* e.g. vulnerability scanning and protected domain name addition to a new agreement with Microsoft to ensure all
England Improvement
system (DNS) ,launching in 2019, that health systems are updated appropriately and as needed, the
organisations can utilise. department plans to spend £150 million over the next
*NHSX will combine teams from DHSC, NHS England and NHS Improvement. three years to ‘protect key services from the impact of
NHS Digital have performed on-site cyber security cyber attacks.’22 These methods of protection include,
assessments on all Trusts and a number of primary care primarily, improvement of infrastructure, interventions
Incident response and specialist Cyber advisors for their ‘Well Led’
Inspections.
providers based on the Cyber Security Essentials Plus
certification. The Data Security Protection Toolkit has
to address weaknesses often found in the NHS, and
investment in NHS Digital’s Cyber Security Operations
In the case of an incident, all health and care increased the capability to better assess the broader Centre. Site assessments are planned, over the coming
organisations have to inform NHS Digital through Although cyber incidents are reported and registered in system with supporting services for on-site years, to determine whether individual sites are doing
the Information Governance (IG) Toolkit and the a database, the data are not systematically processed assessments. As a result, NHS Digital is able to provide enough to prevent cyber incidents.
Information Commissioner’s Office (ICO) if the incident or statistically evaluated. Therefore, the fundamental tailored advice to NHS organisations on the cyber
exceeds level 2. In this instance, the IG Toolkit has been understanding and awareness of potential risks and security capabilities and how to mitigate future threats.21 NHSX
replaced by the Data Security and Protection (DSP) threats are missing. Since NHS Digital does not measure A new ALB, NHSX, was launched on the 1st of July, 2019.
Toolkit, which is an online self-assessment tool risks or vulnerabilities on a local level, it is not possible One recommendation from the NHS CIO’s WannaCry NHSX brings teams from the DHSC, NHS England and
measuring the performance of health and care to assess the impact a cyber attack would have on the report is for all large NHS Organisations to achieve CE+ NHS Improvement together to drive digital
organisations against DSPR. NHS’s IT infrastructure, data, and patients in advance. certification by June 2021. NHS Digital have performed transformation and lead policy, implementation and
On-Site Cyber Security assessments including CE+ on change. It is headed by Matthew Gould, who previously
Performance against the DSPT standards is the baseline Efforts have been made to improve the NHS’s all Trusts and a number of primary care providers. As of served as the UK government's Director of Cyber
used to inform progress, is monitored by NHS England, responsiveness to cyber threats. In 2016 NHS Digital March 2019, 38 organisations are already CE+ certified, Security.22 Among other responsibilities, NHSX will
and applies to all NHS organisations, Local Authorities was commissioned by the Department of Health to 27 months before the target date. Achieving CE+ is a mandate cyber security standards across health and
and bodies commissioned or contracted to provide develop a Care Computer Emergency Response Team pass/fail assessment, as organisations improve security social care, to ensure that all organisations related to
services who process personal confidential health and (CareCERT).20 CareCERT consists of three key services, controls the more will become CE+ certified. the NHS have security protocols from inception.
adult social care data. Over 27000 DSPT self- which support stronger cyber security across health and
assessments have been completed with over 97% social care: a national cyber security incident It is hoped that the launch of NHSX will help streamline
meeting the DSPT standard and 532 organisations management function, good practice guidance on cyber and simplify the national cyber security accountabilities
exceeding it. security for the health and social care system, and for the NHS by integrating the roles and responsibilities
national level threat advisories which are broadcast to of the cyber security teams at NHS England and the
A new version of the toolkit was released by NHS Digital organisations across the health and social care sector.20 DHSC. This will be key to help front line NHS IT teams in
in June 2019 incorporating a broader range of external Figure 3 gives an overview of how CareCERT is used to implementing any national and local protocols.
security standards Cyber Essentials, EU NIS, Minimum improve cyber resilience.
Cyber Security Standard (MCSS) and the NCSC Cyber
Assessment Framework. It is a requirement for large If an alert is triggered by the CareCERT Collect system
NHS organisations’ DSPT self-assessments to be all NHS trusts and Commissioning Support Units (CSUs)
independently audited annually. Additionally, NHS have to report what they have done in response, e.g.
Digital is working with the CQC on providing expertise implementing security patches or updating anti-virus
16 176
Emerging challenges
Connected medical devices
Opportunity
If a method of assuring the cyber security of connected
medical devices can be achieved, it will be possible to
deliver a fully integrated and scaled ecosystem of
connected medical devices across healthcare providers
and patients. The data captured by connected medical
devices, if fully integrated, will provide real-time
information and open new opportunities for
understanding diseases and treating patients.
There are currently small-scale test beds of this type
of device integration being conducted. For example,
Imperial College Healthcare Trust are currently piloting Whilst robust regulatory standards for safety exist there
the integration of monitoring devices with its EHR. The is a lack of explicit cyber security equivalents that
monitoring devices capture observations and this data medical devices must meet to be released to the
automatically flows into the patient’s EHR. It produces market. Most now recognise that a set of security
an early warning score for the patients which can incite guidelines must be developed. The US Food and Drug
early medical intervention. Administration (FDA) is leading in this space; while the
EU’s medical device regulations are less well-defined
Threats/challenges than those of the FDA, two publications in May 2017
Summary Points If nothing is done and adoption of medical devices introduced strict rules around post-market surveillance
continues at pace and scale there could be mass of all medical devices approved for use in member
● This section looks at ● Connected medical ● Implications of decisions ● Secured access to introduction of poorly regulated or unsecure medical states.23 All member states are required, since the
the cyber security devices can have made by artificial patient data and records devices that are hyper-connected and vulnerable to publication of these papers, to maintain close
challenges of emerging dramatic cascading intelligence algorithms is essential to mitigate cyber threat. At present, healthcare providers are surveillance of all approved devices, to monitor any
tools including: effects in the case of are not yet well the risks of manipulation unable to effectively and consistently risk assess the hazardous incidents, and to report all corrective action
connected medical cyber attacks understood in the and theft of data as well adoption and integration of emerging technologies and taken thereafter.
devices, algorithmic healthcare context as disruption of care there is a persistent lack of agreed minimum standards
decision making, ● Deficient monitoring operations due to for security. A report from British Standards Institution (BSI) notes,
Electronic Health mechanisms of cloud ● Discrimination and unauthorised actions however, that these documents do not deal closely with
Records, robotics, services imply manipulation of DNA Current landscape the subject of security, and instead focus on the safety
cloud computing and complete reliance on data can have far- There is a lack of procurement policy to monitor of medical devices approved in EU member states.
precision medicine third-party reaching consequences and regulate devices being used in care delivery. The EU regulations specify only that all devices should
organisations for the individuals and Additionally, there is little incentive for suppliers of maintain ‘state of the art’ security which will require
their relatives medical devices to provide appropriate levels of cyber time (and potentially the accumulation of case law) to
security due to the high cost, with a lack of mandate to credibly evolve into a commonly understood baseline.
do so. The consensus among experts, both within the
cyber security and medical areas, is that this risk is real, The Department of Culture, Media and Sport (DCMS)
The NHS, along with health systems across the world, and combined use is likely to generate a step-change in pressing, and that high security standards are needed launched a Code of Practice for consumer internet of
is becoming ever more reliant on technology to deliver quality and nature within this sector. The challenge will more than ever, with the advent of advanced medical things (IoT) security in 2018.24 This Code of Practice sets
safe patient care. There are exciting new innovations be to adopt technologies safely and securely and devices. out practical steps for IoT manufacturers and industry
that have the promise to change the way care is appreciate the emerging cybersecurity challenges that stakeholders to improve the security of consumer IoT
delivered and offer new treatments and discoveries. become more apparent as these technologies are more products and associated services in the home, through
Some of these technologies such as artificial intelligence commonplace. a set of 13 guidelines.24 Despite this code of practice
(AI) and robotics are already in use at relatively small being introduced, there is still not an equivalent guide
scale and in some trusts. However, their widespread for medical devices.
18 19Artificial intelligence: algorithmic impacts of AI algorithms upon clinical liability, as the Electronic Health Records (EHRs) Current landscape
human is removed as the authoritative decision-maker, The WannaCry attack showcased the vulnerabilities
decision making have not been considered. Opportunity posed by EHR systems when clinical staff cannot get
Opportunity EHRs will be the foundation of a digital healthcare access to critical information. Even if an attack is
Clinical decisions may be delegated to algorithms The nature of AI means that it is often trained locally by system that configures data from medical technology. determined to have been accidental, any disruption
including AI and machine learning. There is the the data that is inputted into the machine. This means Patient access to their own data in the future will enable that removes access to EHRs has the potential to disrupt
opportunity to use data collated by a plethora of that the machines quickly become specialised, easily them to better understand and manage their own care, preventing treatment, congesting care pathways
medical devices to provide data-driven, real-time adaptable and significantly divergent from those medical data and give them greater autonomy in their and impacting patient safety. Removing access is one
diagnostics and care management decisions. The supplied by the same manufacturer. The implication healthcare decisions. thing; another consideration is a malicious attempt to
accuracy and efficiency of algorithmic decision-making of this is that traditional fixes such as ‘patching’ will corrupt data over a period of time where it is difficult
will allow for early intervention of medical care, become redundant as a singular fix will not be suitable Salford Royal NHS Foundation Trust is currently to detect, creating a lack of confidence and reliability
personalised treatment and real-time monitoring for for all machines that have been trained using different exploring how to integrate medical devices so that the in the data. Over-reliance on badly connected EHR
patients. Ultimately, appropriate and managed use of data and it cannot be proven that it is better than before data generated can provide real-time information and systems may leave the NHS vulnerable to a widespread
algorithmic decision-making will save time, improve the fix. The adaptability and specialist capabilities of AI decision-making. The trust is working with Marand from shutdown in the event of an intentional attack.
accuracy and reduce cost for the NHS. can be favourable, but they also present a challenge Slovenia on an open EHR platform. A patient portal
from a governance and assurance perspective as the allows patients to share their blood glucose and blood The ambition for the healthcare service is for patients
Threat/challenges machines have the ability to change momentarily and pressure readings from devices, with a clinician then to have access to their medical records. This again adds
As the healthcare sector begins to introduce algorithmic cannot be treated in an identical manner. able to access and review the data. another layer of risk in terms of cyber security and if the
decision-making into clinical settings, significant parameters of access and control are not appropriately
consideration must be given to the implications they Current landscape Threats/challenges managed then patient data may be vulnerable to
may have upon patients or practitioners. If an algorithm The DHSC launched a code of conduct for data-driven If the parameters of access and control for an increasing cyber threats. As patients begin to have
makes the wrong decision, who will be held responsible health and care technology (February 2019) with 10 key individual’s EHR are not appropriately managed, then systematic access to their own data, the government
and how will this be managed? A recent study principles.26 There is a small-scale pilot of a mobile patient data may be vulnerable to misuse and cyber must find ways to educate the public on how to safely
demonstrated how attackers can use deep learning to phone-based application using AI technology to alert threat. The supporting infrastructure for EHRs must store and share their personal data.
add or remove evidence of lung cancer from medical staff to patients at risk of deterioration and death provide secure flexibility to service the need of each
scans that in turn could not be differentiated by the through kidney failure. user and the healthcare sector needs to establish a data
reporting radiologists25. It is evident that, at present, architecture that would set the appropriate parameters
processes are not yet established to effectively manage of access and control for different users of EHRs.
algorithmic decision-making in healthcare. Soon the
delegated decision will be much more complex (e.g.
diagnosing chronic medical conditions). In addition, the
20 21Robotics Current landscape
Current investment into developing robotics is
Opportunity underpinned by the UK government’s plans to invest
Robotics in healthcare have the potential to transform £300 million in RAS (Robotics and Autonomous
the delivery of care in a variety of ways, such as carrying Systems) research between 2012 and 2020.
out repetitive tasks (e.g. patient observations), aiding Additionally, GrowMeUp is an ongoing project endorsed
a human surgeon or executing operations independent by the EU that is developing a robot that has the
of human intervention. Robots will significantly impact capability to respond to changes in an individual’s
delivery of care for the elderly either through assisted routine and environment.27
living or end-of-life care by prolonging personal
independence. For healthcare, the ambition is that this As observed by the Parliamentary Office for Science
will reduce the pressure put on the NHS in the face of an and Technology, ‘Many of the robots and robotic devices
ageing population. developed for social care appear to still be at the
conceptual or design phase’.28 The real challenge
Threats/challenges is understanding whether or not robotics can be
Robotics use a complex mesh of AI algorithms to make integrated into clinical environments alongside existing
decisions. As previously discussed, there is a risk that technologies and governance practices.
removing the human factor from the decision-making
process drastically changes clinical liabilities for which
the healthcare sector is not currently prepared to
manage safely, securely and at scale. The successful
adoption of robotics to realise potential benefits to the
healthcare sector is reliant on effectively managing the
human interaction with them.
22 23Threats/challenges
While progress is being made to adopt cloud computing
Precision medicine
solutions, there is still a lack of awareness and Opportunity
education around the technology, which could be Precision medicine has the potential to facilitate
exacerbated by a culture wary of putting trust in servers more effective treatment options for rare as well as
they cannot directly control.36 Cloud services are noncommunicable diseases. The concept of using a
supposed to be monitored 24/7 by specialist third-party person’s genomic data to design treatments tailored to
IT staff and alert clients of any suspicious behaviour. that person is no longer a far-fetched concept, because
There are some instances where this has failed to of the decreasing cost of genome sequencing and its
happen. As of January 2019, 416 cases were investigated availability through research initiatives.40
by the US Department of Health and Human Services’
Office for Civil Rights involving security breaches of The 100,000 Genomes Project was first announced in
health information, 47% of which were caused by an 2013 through the establishment of a private company,
IT incident or hacking.37 Genomics England, owned by the DHSC. The aim of the
project was to sequence the DNA of 75,000 patients
Cloud computing These incidents highlight another challenge of cloud with cancer as well as families affected by rare disease.
computing: healthcare providers are completely There has been success in treating patients based on
Opportunity reliant on third parties to store and protect their data. their genomic data.41,42
Cloud computing will allow large-scale analysis of Healthcare providers need to have, at least, some
medical data to support healthcare services, especially degree of oversight to ensure that their cloud service The UK Biobank has collected over 500,000 medical
when combined with AI. According to the 2017 supplier is complying with regulatory frameworks. They records, DNA samples, as well as other biological Even the suspicion that participants’ data could be
Healthcare Information and Management Systems also need mechanisms in place to continuously monitor samples and health and wellbeing data from volunteers. compromised is enough to generate scepticism of
Society (HIMSS) Analytics Cloud Survey, 65% of the company’s compliance through using security tools If volunteers consented, these data could be genomic sequencing schemes. Unlike social security
hospitals had been utilising cloud services in some and audit logs. anonymised and linked to their EHR to correlate them or national insurance numbers, credit card information
capacity, and it is expect that the majority of EHRs with hospital statistics. By 2020, the organisation is and other data subject to fraud, DNA data of an
will be cloud-based by 2020.29 The UK NHS Blood and Current landscape hoping to make these anonymised records publicly individual cannot be changed and are shared, to some
Transplant, for example, has been using IBM Cloud NHS Digital has issued a guidance document approving available.43,44 extent, with their relatives.47 However, there is little to no
to optimise its organ allocation scheme by analysing healthcare organisations’ use of cloud computing, privacy protection in place for the extended relatives of
medical records in the cloud to identify potential provided that appropriate safeguards are put in place.38 Threats/challenges individuals who take part in uploading their DNA to open
transplant recipients.30 In 2018, Arthritis Research The challenge, however, is to navigate the fragmented While precision medicine is more accessible than ever databases or taking part in genomic research.
UK launched a cognitive virtual assistant, powered by structure of the NHS in order to implement adoption of to the general public and has had various success Therefore, as the popularity of seeking health and
IBM Cloud and AI, which was trained by specialists to cloud computing, as well as overcome cultural stories, there are still concerns about research ancestry insights grows, so does the threat to relatives’
provide personalised 24/7 support for arthritis resistance. Local service agreements should also outline participants, as well as their relatives, becoming victims privacy and their risk of being affected by a hacking
patients.31 what the scope of the cloud services are, who is of hacking or DNA discrimination. In December 2018, incident.48
responsible for what, who holds insurance, who’s Genomics England were forced to address reports that,
When integrated properly, the security of cloud-based indemnifying whom and what the healthcare provider’s because of multiple cyber attacks on their database Current landscape
solutions has the potential to exceed that of local rights are to access the data.39 of 85,000 individuals’ genomes, they had to move To protect the data of participants of genomic research,
servers alone.32 Furthermore, the operational costs of participants’ data to a secure Ministry of Defence (MoD) policymakers have restricted access to pools of
on-demand cloud computing and storage are low, base. Genomics England maintained that there was anonymised biomedical genetic data.49,50 If hackers
which is supportive of the push for increased access to “no evidence” that it had been targeted by any cyber were able to match genetic information with personal
EHRs, digital health solutions and the analysis of attacks, that patient data had never been moved and information, there are a myriad of malicious uses
medical data for research purposes.33-35 in fact resided in a secure government-owned facility for that combination of information. These include
based in the UK.45,46 exploiting people in positions of power, identity theft,
framing a person for criminal activity and holding
genetic data ransom in return for a steep price and
in a worst case scenario, using mass data to develop
bio-weapons.51
24 25You can also read
