The Download: Cyber fatigue

NHS leaders’ favourite phrase after the WannaCry cyber-attack was “wake-up call”.

On 12 May 2017, more than a third of hospitals and hundreds of GP practices were disrupted in the global ransomware attack. Tens of thousands of operations, tests, and appointments were cancelled, ambulances diverted. There were reviews, inquiries, new regulations, hundreds of millions of pounds diverted to cyber security. Stern talk all around.

The chaos brought home the real consequences of cyber-crimes in a hitherto unknown way.

So has the NHS woken up?

Wide-eyed and twitchy

Cyber security does get more attention and money post-WannaCry.

Last year, 91 trusts were given a slice of £61m in central cyber funding, from £3.5m for Barts Health Trust to £10,000 for Dorset Health Care University Foundation Trust.

The Download has been told the money distributed came with few to no strings attached, so it will be difficult to measure whether it was put to good use. But some is better than none and there were some clear gaps (trauma centres) that needed patching.

All trusts have now had a cyber assessment (more on that later), so they at least know the size of the problem. Tougher regulations, including GDPR and a new data security toolkit, also theoretically make it harder for NHS organisations to turn a blind eye to cyber. As of May this year, all but one NHS organisation had designated someone with board level responsibility for data security.

In the centre, NHS Digital’s ability to monitor and block threats across the NHS has also been boosted, contracting IBM to fill skill gaps.

The snooze button

But there are also signs some parts of the NHS are nodding off or never woke up in the first place.

In April this year, NHS Digital issued its first high severity cyber alert since WannaCry, to which NHS organisations are legally required to respond to within 48 hours.

After four days only 16 per cent of trusts and clinical commissioning groups had responded – although NHS Digital’s own systems were also partly to blame.

All of the 200 organisations that received a cyber assessment post-WannaCry failed to meet cyber security standards. Some were assessed in the weeks after the attack, others more than six months later. But it is telling that not one organisation passed.

And while money is being spent to improve cyber security, it is unlikely to be enough to repair years of underinvestment in NHS IT infrastructure. An internal NHS Digital estimate found it would cost £1bn to bring the NHS up to a cyber “minimum bar” (investment committed is less than a quarter of that). The Department of Health and Social Care says trusts will still be expected to “develop plans” to reach this minimum bar, but it has not explained how they will pay for it.

While some plans for regulatory change have moved at pace, others have not.

The Care Quality Commission is meant to be incorporating data security, including unannounced “cyber inspection”, into its inspection regime by the end of the year. It piloted six cyber inspections with NHS Digital earlier this year but did not incorporate them into any final reports. The two agencies have now “agreed to start work on a methodology” of how that might happen, but it’s unlikely to be any time soon.

As of now, there is no clear programme for incentivising better cyber security or clear regulatory consequence for failing to improve. For local NHS leaders juggling many competing demands, this makes cyber difficult to prioritise.

A jolt in the night

But the threat has not gone away. If anything, it has grown.

Hard data on cyber attacks in the NHS is scant and is often withheld on national security grounds. However, senior officials have told The Download that malware and adware infections are commonplace in NHS organisations. Many will be relatively harmless, others could silently compromise the confidentiality and integrity of NHS data even if they do not cause widespread service disruption.

The sensitive patient records of millions of patients popping up on the web, or another WannaCry-style attack, could focus minds.

Heavy fines could also do the trick.

The EU-wide network and information systems directive was introduced alongside GDPR in May but received far less attention. It requires “essential services” to take reasonable steps to protect themselves from cyber attacks or hardware failures. The NHS is covered by the directive and, in theory, organisations can be fined up to £17m.

The likelihood of a trust receiving that sort of fine has been played down but papers that went to an internal NHS Digital board in June shows an NHS framework has already been drawn up.

Under it, fines vary from £25,000 for a one-off minor incident to £17m for multiple breaches that result in an “immediate threat to life or significant adverse impact on the UK economy”.

But while a few big fines may focus minds on cyber security, it won’t shake free the money to fund it.