As more healthcare data gets digitised, via more devices, developing a plan for if things go wrong is crucial – as a recent HSJ webinar discussed


Adrian Byrne remembers a time, not all that long ago, “when we used to put antivirus software on our machines and stick a firewall on the network and think we were pretty secure”.

But, according to the chief information officer at University Hospital Southampton Foundation Trust, such days are now long gone.

With more information being collected digitally via more internet-connected devices than ever before, the challenge of keeping healthcare data secure has taken on multiple new dimensions. Ransomware attacks, in which users or organisations are denied access to files unless they pay a ransom, have become a particular concern.

“We used to worry about access to data – was it encrypted? Now the worry is not just have they intercepted and seen it, it’s have they got onto your network in such a way that they’ve stolen a bunch of data.

“For a while with ransomware, it was just locking up the data – they hadn’t actually seen it; they just locked it and prevented you from accessing it. But now the attacks [can involve] stealing the data before they prevent you accessing it.

“Things are getting much more sophisticated, and as soon as you connect your systems to any network you are potentially opening up a vector for attack.”

Mr Byrne was speaking at an HSJ virtual webinar. Held in late November 2022, and run in association with data security company Rubrik, the event considered a challenging question – whether NHS data can ever be considered truly secure.

Planning for attack

The point that quickly emerged was that getting data security right does partly come down to protecting from attack in the first place, through the use of cybersecurity tools. But our panel emphasised it also involves considering how well equipped organisations are to respond if an issue does occur.

“Everyone focuses on prevention and detection, which is important,” said Saif Abed, director of cybersecurity advisory services at The AbedGraham Group and a former practising medic. “But very few organisations know how to respond in the event of a crisis.”

Added Robert Fawcett, account director, NHS at Rubrik: “Data is absolutely critical to every organisation across the globe, and what we’ve seen is lots of money being spent trying to keep people out, but not enough trying to wrap a protective barrier around the data that’s sitting at the heart of every organisation. If that data becomes unavailable, it’s not possible to deliver services or transformation.”

And that means, our panel agreed, that trying to keep data secure means involving everyone across health and care organisations. Dr Abed spoke of the need for collaborative work between “IT leaders, business continuity leaders, but also clinical leaders”.

He continued: “On the healthcare organisation side, I think what we need to focus more on is people and processes, so upskilling people in risk analysis and risk management in digital environments.”

Increasing knowledge about data security outside the boundaries of IT departments is something Mike Culshaw has recently been working on. In 2021, Mr Culshaw became chief technology officer at Pennine Care Foundation Trust and inherited potentially challenging arrangements relating to data backup.

Data security does partly come down to protecting from attack in the first place. But our panel emphasised it also involves considering how well equipped organisations are to respond if an issue does occur.

“We were still backing up to tape, which was a nightmare both from a business continuity perspective of getting that data back [in the event of attack or system problem] but also the physical process and cost of doing it.”

He and his colleagues therefore implemented a new solution; a so-called immutable backup. This means that data is backed up in such a way that it cannot be altered or attacked. Should the worst happen and data be lost from the main systems, the idea is that there is a consistent robust copy available.

Lack of continuity

According to Mr Fawcett – the trust is using Rubrik’s products for its data security – there are many NHS organisations for which business continuity would currently be a challenge in the event of data loss.

He said that “nine times out of 10” conversions with organisations reveal disaster recovery reviews or attempts to restore data from a backup have never happened.

“Therefore when you get to that critical point where you need to restore a service that is underpinning patient care, they’ve got no idea as to how long it’s going to take to recover.”

“If anything happens on our network, doctors can of course deal with a patient right there and then,” said Mr Byrne. “But if our systems went down en masse, how would they gain access to their latest medical chart?

“[At my trust] we’ve got business continuity solutions that allow us to do that, but I know that many don’t. And then there’s the going forward piece, which is, could you run the hospital? And the reality is that you would immediately start to cancel things.”

Dr Abed said he advocates the development of “a clinical incident response plan” alongside plans for technical recovery from an incident, as part of work on data security.

“If the clinicians in departments from pathology to radiology to accident and emergency to intensive care to theatres have not been trained and supported in terms of what to do when all their critical IT systems go down, then you will have terrible outcomes in terms of patient safety and the efficiencies and care quality,” he said. “And it scales up – it causes backlogs and overflow to neighbouring healthcare organisations as well.”

At Pennine Care FT, that sort of widespread engagement has proved important when introducing the new backup system. Mr Culshaw said that gaining it had involved placing data security in a wider context.

“I’ve said this is not a digital and to an IT problem – this is a patient safety problem that everyone has responsibility for. I think when you explain it in that kind of language, you get a little bit more buy in.”

An on demand version of this webinar is available.

To access the recording, click here.

If you had previously registered as a viewer for the event, you will be able to view the recording immediately.

If you had not previously registered, you will be prompted to complete a form and then be sent information on how to access the recording.