• Papers reveal contract delays for new NHS cybersecurity centre
  • Show officials’ concerns six months after WannaCry about insufficient funding and “suboptimal” preparation for the next attack
  • NHS Digital says cyber risk has been controlled by bringing more services in-house until new contract starts

A new security centre to defend the NHS from cyberattacks has been delayed for months after another government department raised concerns, papers released to HSJ reveal.

The papers, released to HSJ under the Freedom of Information Act, were presented to a subcommittee of NHS Digital, the agency responsible for protecting the NHS from cyberattacks, late last year.

Cyber security

NHS Digital said the NHS is not seeing persistent nation state attacks

They also detailed a litany of concerns about the system’s ability to cope with another WannaCry style cyberattack. These include additional funding being rejected, difficulty attracting cybersecurity staff and “suboptimal” preparation among local NHS organisations.

NHS Digital urgently went to market for a new and improved security operation centre in July last year, expected to cost £20m over three years, with plans to have the new service up and running by the end of March.

It was a key part of the national response to the WannaCry attack, which happened nearly a year ago and left major emergency departments relying on paper while thousands of appointments were cancelled.

However, a committee paper from November last year showed the Government Digital Service intervened in the procurement, raising concerns and forcing a pause, generating fears that the NHS would be left at greater risk of cyberattacks. The GDS is part of the Cabinet Office meant to transform government digital services.

“Further delays will impact NHS Digital’s ability to secure replacement service for those provider by CareCERT until the end of March 2018, and therefore leave health and care at significant increased risk of serious cyberattack,” one paper said in November.

NHS Digital confirmed to HSJ this week that the new centre was not operating, with a contract expected to be awarded later this month. The previous contract for the service, provided by BT, ended on 31 March.

However, the agency’s head of security, Dan Taylor, said concerns raised in the papers about an increased risk had since been allayed, by bringing many BT services in-house ahead of the March deadline.

He added: “When we came to that hard edged March deadline, we had already agreed with BT to extend a couple of resources we still have with them, but in terms of everything else in that contract, that capability was already in-house.”

Concerns raised by the GDS related to “value for money” and making the offer attractive to the market. These issues had since been resolved, Mr Taylor said.

He said: “While there were some process issues we had to follow, I don’t think this was a particularly big issue.

“I think in two years’ time we will be the envy of many across government, in terms of security operations.”

Addressing other concerns in the papers around preparedness, Mr Taylor said there had been vast improvement in the intervening months, aided by the government shifting tens of millions in IT funding to cybersecurity.

Overall, the NHS continues to experience regular cyber threats. The papers reveal that roughly 500, or 0.3 per cent, of more than 181,000 NHS devices monitored centrally have been suspected of some infection, though the time period covered is not clear.

This was slightly lower that global average, but it was likely the number would rise as reporting continued to improve, Mr Taylor said.

Mr Taylor said: “We are not specifically targeted and we are not seeing persistent nation state attacks [on the NHS].

“But we do have a different baseline than other organisations, we are there to deliver patient care, so we are working quite hard to make sure NHS organisations understand the importance of data security.”

Funding risks

Concerns were raised within NHS Digital that lack of additional funding could hamper the NHS’s ability to respond to the next cyberattack, committee papers show.

In the wake of WannaCry, an intra-agency investment board agreed to grant NHS Digital an extra £4m to procure a new security operation centre.

However, a request to government for a further £2.9m to cover specialist training and support to improve local NHS data security capabilities and better support local organisations was turned down.

In a paper in November, the committee noted the shortfall presented a “risk to overall cyber preparedness of the system in relation to funding”, including being able to respond in timely manner to the next major cyberattack.

Mr Taylor told HSJ additional money had since been approved, as part of broader package of cyber funding announced earlier this year.

‘Suboptimal’ preparation

Onsite assessments of NHS organisations had highlighted “the suboptimal NHS cyber preparedness which could lead to significant service disruption”, an NHS Digital committee said late last year.

This chimes with NHS Digital deputy chief executive Rob Shaw’s disclosure to Commons public accounts committee meeting in February, in which he stated that all 200 NHS organisations assessed had failed to meet the cybersecurity standard.

Mr Taylor said an extra £60m had been invested in cyber-security at a local level, targeting those organisations most in need, towards the end of 2017-18.

Tens of millions more was expected this financial year, most of which would go to frontline NHS organisations, he said.

In addition, NHS Digital was piloting a new approach of more intense trust level interventions over the next few months, focusing on training for senior leadership, he said.

The £200m deal with Microsoft, announced on Saturday, would also go a long way to improving cybersecurity across the system, he said.

Cyber skills shortage

NHS Digital was struggling to source enough qualified cybersecurity staff last year, with a recruitment drive in July attracting 120 applications but resulting in only four appointments. The organisation has been using IT consultancy FDM to fill the gaps, the committee’s papers said.

Papers in November said fewer notifications of cybersecurity threats had been sent to NHS organisations partly because of “resource issues” with four new starters still being trained.

Mr Taylor said difficulty finding qualified staff was not unique to the NHS, but more people had since been hired and NHS Digital was confident it could continue to attract talent.