Board level awareness of the breadth of IT security issues is increasing. How can IT teams continue to support their colleagues’ knowledge development? Claire Read reports

Gary Colman is aware that NHS cybersecurity can be a complex and very technical matter. He’s also aware it’s one that is a genuine patient safety issue, and so one of which boards members need to be cognisant. And that’s why he offers a consistent piece of advice to colleagues in IT.

“We recommend that the IT team gives plain English, non-technical security updates to the board on a regular basis,” says Mr Colman, who is head of IT audit and assurance services at West Midlands Ambulance Foundation Trust but who provides similar services to other NHS organisations across the country.

Sponsored bysophos-logo-black-rgb

Increasingly he feels that such reports should not simply be focused on detailing an organisation’s security posture. “It’s very easy to say: ‘[We need to do this] so we don’t get hit by ransomware, or we don’t lose a system.’ But those reports often don’t include that the impact [of not securing systems] is that the patients aren’t going to get seen. Maybe sometimes that message needs to be included.

“The whole point of cybersecurity in the NHS ultimately is the patient safety,” he says. “That’s why we’re all here.”

He is hopeful that IT teams may increasingly be able to support boards in these areas, seeing reason for optimism in the increasing number of IT security manager posts now being advertised in the NHS.

“There just never used to be those roles and we used to say: ‘Well, how can you be managing this if you haven’t got someone doing it?’ You would hope that getting dedicated people in to just do that now [will be] helping the messages get higher up [in organisations].”

Adrian Boylan, a head of IT working within the NHS, also feels there is a developing level of knowledge. “I think boards have a much higher awareness of the breadth of IT security issues than was the case several years ago,” he says.

“Yes, there was a time when it was seen as purely an IT issue, when you had to fix the machines and ensure that there was appropriate antivirus software installed, and then organisations moved on to the realisation that you actually have to educate your staff, your employees, about how they use the IT equipment that’s been entrusted to them.

“There seems to me to be a wider understanding of the integration or the interconnectedness of IT security measures at a hardware and software level, with organisational approaches to managing and handling information.”


Should cybersecurity be seen as a patient safety issue?