NHS institutions will still be using unsupported IT systems for months, despite the high profile ransomware attacks that shut parts of the National Health Service, the Government has admitted.
In its response to two data reviews that have run in the last couple of years, the Government’s response says that they will support the NHS locally to ‘ensure they are identifying and moving away from, or actively managing, any unsupported systems by April 2018’. According to that document, guidance on removing unsupported software will be issued this month.
The document admitted that recent incidents such as WannaCry, ‘which affected many other countries’ services as well as our own health and care system, have shown that the NHS can protect essential services in the face of a cyberattack, but they have also underlined the need for organisations to implement essential, strong data security standards’.
The NHS standard contract was changed in April so that NHS bodies are formally required to adopt data security standards as recommended by the independent National Data Guardian for Health and Care, Dame Fiona Caldicott (a post which dates from November 2014). That’s including security training for staff; annual reviews of processes; and contingency plans to respond to threats to data security.
This follows the WannaCry malware attack in mid-May that brought chaos to NHS institutions whose IT systems froze or were turned off in case of cyber-attack (including the NHS’ own central counter-fraud and physical security management arm). On that score, the Government says that work is under way to find the fastest and most cost effective way to support the NHS to move from unsupported operating systems, including Microsoft’s Windows XP, that was the weakness exploited by WannaCry, in the UK and elsewhere.
Health Minister Lord O’Shaughnessy said: “The NHS has a long history of safeguarding confidential data, but with the growing threat of cyber-attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS. Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”
The Government was responding to the National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs, consulted on between July and September 2016. Separately the health and social care regulator the Care Quality Commission (CQC) has carried out a review of NHS protection of personal data. The CQC found among other shortcomings that while staff wanted to protect data, and data security policies and procedures were in place at many places, that was not the same as what happened in practice; quality of staff training on data security was ‘very varied’; when something went wrong, lessons weren’t learned; and on that score, there was no culture of learning – for example benchmarking with others was ‘all but absent’. For the 32-page CQC Safe Data, Safe Care report click here.
For the Government’s 84-page response to the two reviews, and what it proposes click here. Among the proposals are training for staff, and a ‘communications campaign’ targeted at ‘leaders’ for taking ownership of cyber risks. A ‘redesigned Information Governance Toolkit’ is promised for April 2018, being tested in alpha and beta versions this year; it’ll cover such cyber-security bugbears as ‘dormant accounts, default passwords and multiple log-ins from the same account’.
David Emm, principal security researcher at the IT ssecurity product firm Kaspersky Lab said: “Since health data is attractive to criminals, it is no surprise that NHS organisations have experienced a series of highly publicised data breaches, the most notable and damaging being the recent WannaCry attack. Hospital technology is evolving quickly. Laptops and mobile devices are proliferating both inside and outside the hospital—as are interconnected medical devices that, increasingly, operate on common IT platforms and are susceptible to the same security risks as traditional IT devices. This rapid pace of a change means that hospitals are under pressure to maintain numerous isolated IT assets.
“With the aid of this increased funding for the NHS, healthcare providers must work closely with their IT security teams to implement sophisticated, high-quality protection that will allow them to manage and protect customer data. Not just for the sake of ‘tick-box’ compliance, or to avoid hefty fines and embarrassing, often irreparable reputational damage, but to enable them and their patients to reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure.”
Caldicott’s ten data security standards in brief
n Confidential data handled, stored and transmitted securely, electronic or paper.
n Staff understand their responsibilities.
n Annual training.
n Data only accessible to staff who need it.
n Processes reviewed at least annually.
n Cyber-attacks identified and resisted and data breaches reported.
n A continuity plan to respond to data breaches.
n No unsupported operating systems, software or browsers.
n A strategy based on a framework such as Cyber Essentials.
n Suppliers accountable via contracts.
According to the Government’s response to the reviews (page 25), it will ‘publish a pledge to the public to uphold the principles of the NDG review regarding how their data will and will not be used’.
Source, page nine of the UK Government consultation on the Caldicott review.