Don't panic: what healthcare leaders need to know about cybersecurity

Not so long ago, your data security nightmare might have solely centred on a member of staff accidentally leaving a memory stick on a train.

As the NHS becomes increasingly digital, however, there’s a full buffet of potential data challenges from which to choose to wake up from in a cold sweat. In the past few months alone, there have been high profile instances of cyber attacks affecting the functioning of healthcare providers.

Three experts detail what senior healthcare leaders should know about the increasingly topical issue of cybersecurity.

1. Relax: you don’t need to be an expert on every cyber risk

“Board members do not need to have specialist expertise in data or cybersecurity,” argues Dan Taylor, head of security at NHS Digital’s data security centre.

“What they do need to understand is the questions they should be asking their organisation to make sure that they’re content that they’re securing patient data.”

2. Consider cybersecurity as part of your standard risk management procedures

“At the end of the day, it’s the same as any other risk,” says Gary Colman, head of IT audit and assurance services at the Information Security and Assurance Service (ISAS) provided by West Midlands Ambulance Service Foundation Trust.

“So as long as your risk management framework and procedures are robust, then your IT-related risks should filter through that and filter up to the board where necessary.”

As the NHS becomes increasingly digital, however, there’s a full buffet of potential data challenges from which to choose to wake up from in a cold sweat.

“Becoming digitised doesn’t hugely change the risk profile of organisations – it just changes what risks are there, and how they need to be managed,” agrees Mr Taylor.

“If you’ve got a warehouse full of 30,000 patient records, as a lot of big acutes have, there are huge risks to making sure that data and information is secured. In the digital world, it’s just the [nature of the] risk changes.”

3. Understand cybersecurity should be on the board agenda – but not necessarily under that name

“You have to take the concept of cybersecurity and remove it from the silo of IT,” argues Saif Abed, founding partner at healthcare IT and risk consultancy AbedGraham.

“We’re seeing examples of IT systems going down, and elective operations being cancelled, and clinic appointments being postponed, and that affects the quality of care. So cybersecurity ties into the bigger agenda of care quality, safety, risk.”

In other words: issues which concern each and every healthcare board.

4. The most sophisticated anti-virus software can be rendered worthless by carelessness

“People always say to me if we spend however much money on whatever whizzy technical defence, will that stop everything? Well, no, not if your users are being careless,” says Mr Colman. “So the one message I always say is you’ve got to train users and make them aware of how to keep things safe.

“In the past we’ve seen a trust spend a lot of money on technical controls and whizzy solutions, and they’ve been completely undone by staff. So if you want a quick win, educate your staff to keep information safe.”

5. Support people to speak up if they do make a mistake with data security

“If individuals make mistakes, we need to make sure that – instead of looking at it in a punitive way – boards and the whole tier of leadership in the NHS consider it an open book culture,” suggests Mr Taylor.

“Becoming digitised doesn’t hugely change the risk profile of organisations – it just changes what risks are there, and how they need to be managed”

“So when mistakes are made, people feel comfortable in acknowledging they’ve made that mistake – that there’s good processes the board have put in place to make sure the impact’s minimised, and therefore we can learn from it.”

6. Understand data security isn’t a one-off, tickbox exercise

“I’ve seen information governance audits where a trust will get a consultancy to come in and do a big assessment,” reports Dr Abed. “And then so many things happen in the NHS, and organisations and boards are so busy that the really quite expensive report that was done gets put down the agenda. It needs to be seen as part of the long term agenda of the organisation and its safety and its quality rather than a checkbox of: we need to address cybersecurity, OK, we’ve got a report, we’ve ticked the box.”

7. Make the most of the support that is out there

“In the next quarter we’re launching online training courses for all NHS staff on information security,” reports NHS Digital’s Mr Taylor. “And this year and last we’ve got about 235 places for NHS and care staff to take the accredited information security training.”

He says NHS Digital’s CareCERT programme also offers significant guidance, as well as intelligence on potential threats. “Our concern is to be there proactively to help people be prepared and, if the worst does happen, to help organisations get back on track.”