The forthcoming cyber security strategy for health and social care will include five pillars and two major themes, the leading official for the issue has said.
Phil Huggins (pictured), chief information security officer for health and social care in the Department of Health and Social Care (DHSC), outlined the basics of the strategy – due for publication soon – at the Digital Health Rewired conference in London yesterday.
He said the strategy will apply to the next three years, although it will take up to 10 years for the sector to get what he would describe as ‘good’.
The first of the five pillars is a focus on the greatest potential harms and the greatest threats. This will involve expanding the scope from the traditional focus on acute and ambulance trusts to other organisations in the care sector.
“To do that we need to get a better understanding of what is important,” Huggins said. “And we’re keen to change the understanding of cyber from a technology to a patient care issue.”
Morbidity effect
This reflects the emergence of evidence that the disruption of digital systems can have an impact on morbidity among patients, with delays in treatment increasing the length and quality of their recovery.
Subsequently, DHSC will be calling for input from around the sector to improve the understanding of how cyber relates to patient outcomes and identify the important elements.
Second is the concept of ‘Defend as one’, acknowledging that there are limitations to what a central team can achieve and drawing on the knowledge of people from all over the care sector to help cope with complexity and scale of the system.
Huggins said the strength of this has been shown in a handful of incidents since the WannaCry ransomware attack in 2017, in which rapid alerts from individual trusts has enabled NHS Digital’s Cyber Security Operations Centre to quickly block new threats.
“We can only do that if we operate as one team, not with a significantly independent entity,” he said. “My goal is that we continue to build on that, doing more to bring teams together and work on problems together across boundaries.”
Building a culture
Third is to build a security-conscious culture among staff, with the development of a long term national workforce plan, the establishment of a cyber profession, the provision of support and guidance for organisations, and national behaviour campaigns based on the concept of cyber being a health and care issue.
Fourth is ‘build secure’, ensuring that entities such as virtual wards and trusted research environments have strong security in place. It will also include working with systems CIOs to build security into IT lifecycle management, which Huggins suggested could involve discouraging the sweating of assets that can introduce cyber risks.
Fifth is for the NHS and partner organisations to become exemplars for the public sector in response recovery.
Huggins also highlighted two themes for the strategy. One is to move away from a “compliance regime”, in which different features of security are checked and ticked off once a year, to an “improvement regime” in which there is a continual effort to improve capabilities and outcomes.
The other is that he wants his own regulatory role to move away from an emphasis on enforcement to building a learning process. This will involve looking at instances of cyber events, their causes, responses and outcomes and publishing the lessons for executive teams in the sector.
Improvements since WannaCry
He said the development of the strategy follows some sharp improvements in the security around NHS digital systems since the WannaCry, but that a continued effort is needed due to the increased connectivity between systems.
“As we increasingly move towards shared platforms and shared care records, we are increasingly going to find that local redirection of service is going to become more complex as we use the shared system,” he said. “We need to make sure we are building in ‘secure by design’ and resilience.”
Huggins related the effort to the experience of building security into systems that were rapidly developed as part of the response to the Covid-19 pandemic. Everything was tested due to the absence of a coherent approach for developing new software – something usually left to suppliers – but this is an expensive and highly demanding approach.
“If we can build a development processes, system processes, procurement processes to avoid having to test all the time we will be in a much better place with a better, more efficient and cheaper outcomes,” he said.