Enhancing cyber resilience in healthcare is imperative for safeguarding patient data and ensuring uninterrupted care delivery amid growing cyber threats, writes Dr Mick Quinn
As the NHS accelerates digitisation, it collects more and more patient information, uses larger quantities of data to make decisions, and stores a vast amount of patients’ private information. All of this exponentially increases the risk and potential implications of cyber attacks.
In March 2023, the UK government recognised this and announced a strategy aimed at boosting NHS cyber resilience across the entire health service by 2030. While this ambition is welcomed, the implementation will be challenging.
At a time when the number of cyber attacks on the NHS and other public bodies is growing, accelerated timelines are needed for strategy delivery. For example, in August 2022, nearly a dozen mental health trusts lost access to their electronic patient record system. This demonstrates that the NHS needs cyber resilience to make it easier for staff to manage.
In an environment where the NHS workforce is struggling to provide frontline care delivery, it is difficult to motivate staff to prioritise the importance of meticulously checking work emails and changing passwords. Combine these clinical realities with the increased sophistication of cyber attacks and it is clear why some risks slip through the net.
What’s more, the potential costs associated with security breaches are becoming increasingly evident. In both financial and clinical terms, attacks can bring services to a standstill. The NHS cannot afford not to prioritise cyber security and connectivity; this infrastructure is the foundation upon which all our digital health systems are built.
Protect patient data
Information is collected at every point throughout the patient’s journey. Data is always sensitive in healthcare and, therefore, of great value. It is therefore no surprise that on the dark web, stolen personal health data is highly valued.
Protection of this data is mission-critical for the NHS and central to care delivery. For example, when the Irish Health Service was targeted by a ransomware attack in 2021, care delivery was delayed, patients waited longer, and staff’s personal details were put at risk. The very fabric of digital care delivery was compromised, and the service is still recovering. Similarly, in 2022, a cyber attack on 111 services led to the closure of some systems for up to four weeks, causing delays for patients requiring urgent care and worsening an already mounting backlog.
Healthcare delivery is complex; each episode of patient care can require the use of multiple disparate systems. The best clinical pathways often utilise seamless, secure, and integrated log-ins contextual to the patient journey and protecting these entry points requires dedication and expertise.
Ultimately, for patients, cyber attacks delay care and reduce trust in the NHS, and for staff, they cause disruption, frustration, and duplication of work.
The NHS needs to work with, and learn from, technology and connectivity specialists to implement integrated care services in a scalable way, and to ensure that patient care is never impacted by something that it can actively prevent.
Empower a cyber workforce
The infrastructure of the NHS relies on a workforce from multiple disciplines and backgrounds. Bringing these disciplines together by designing and implementing standardised technology can help define a target level of protection.
BT’s recent survey of NHS staff found that 28 per cent saw a lack of adequate skills and training as a barrier preventing them from progressing their organisations’ digital transformation efforts, and 49 per cent said the standard of technology at work was a source of stress.
Staff training is a crucial piece of this puzzle, and an enhanced understanding of cyber security is becoming a priority. The training needs to be interactive, illustrating the “why” and the “how” without patronising staff. Healthcare leaders must do all they can to ensure it moves past the obligatory tick-box exercise.
Have a clear strategy
Detailed arrangements need to be made across trusts to ensure robust procedures are in place to mitigate cyber attacks. Implemented correctly, this will mean that staff won’t need to return to pen and paper, and the delivery of excellent care can be maintained.
In 2024, technology cannot be seen separately from clinical care delivery. If the network or electronic medical records function goes down, the consequences to patient care could be catastrophic. The WannaCry attack in 2017, when patient records, treatments, and operations ground to a halt, demonstrates why understanding the current cyber security posture is important.
Following the WannaCry attack, greater regulations and guidance have been issued, and many trusts are now more prepared, with several reaching out to BT to find a unified approach to tackling cyber threats. To do this, BT’s Security Advisory Services conducts an impartial and independent assessment of the current security controls and provides a list of prioritised recommendations to help them improve the resilience of their trusts.
As a first step, BT provides a detailed understanding of the trust’s security posture. This enables them to evaluate where they are today and identify areas where they need to strengthen in the future. By having a comprehensive strategy, trusts can put patient outcomes first and empower staff.
BT’s security team has a history of protecting the UK’s Critical National Infrastructure, and with the introduction of the Clinical Advisory Board (of which I am a part), they have a thorough understanding of the real-life everyday challenges the NHS faces.
The government is focused on a digitally advanced NHS; our reliance on EMRs and data infrastructure increases with every procurement. Consequently, the potential risk of a cyber security event impacting care delivery has never been higher and will continue to escalate. It is therefore critical that cyber security is not just the chief information officer’s problem, but at the forefront of every trust board, patient advocate group and clinical staff committee.