Chief executives need to take responsiblity for “cyber hygiene”

Good cyber security requires all staff to be trained, says NHS Digital

New helpline to be set up to report data security incidents


NHS Digital has called on NHS staff to take more responsibility for “cyber hygiene” and launched a new set of training and reporting services to improve security.

In an exclusive interview with HSJ, Rob Shaw, the organisation’s cyber security chief, said NHS staff must stop assuming that cyber security is about “technical people in a little room” and take responsibility themselves.

He said chief executives have a key role to play in changing culture by ensuring all staff are properly trained.

Mr Shaw was speaking at the launch of a new programme of work at the Health and Care Innovation Expo in Manchester.

The programme will build on NHS Digital’s CareCERT programme, which until now has focused on sending out alerts about known cyber threats.

Three new services will be rolled out from this month:

  • CareCERT Knowledge – offering online training in cyber security.
  • CareCERT Assure – a service to help NHS organisations assess their local cyber security measures against industry standards as well as provide advice on how they can improve data security.
  • CareCERT React – an ‘incident’ response unit to help organisations take action if there is a data security incident, and to recover and restore security as soon as possible.

The new national cyber training platform will be available to all NHS staff. It will show staff what good practice is in order to prevent them exposing the system to vulnerabilities.

This includes keeping work and personal passwords separate, keeping anti virus software up to date, not clicking on unverified links and what to do if a mistake is made.

NHS Digital has also trained 100 “cyber champions” to improve security within their own organisations.

Mr Shaw said: “If people learn good practice from good training, then many of these mistakes will stop. It is not necessarily the Russians or the Chinese who are attacking the systems. It is NHS staff making honest mistakes, such as clicking on unknown links or using the same password at work as they use on their online shopping.”

A helpline is also being set up to offer specialist advice if a GP surgery or NHS trust does become the target of a serious cyber attack.

“I would never be so innocent or stupid to say that I am fully confident that we can block any attack,” said Mr Shaw. “What I can say is that with the implementation of the CareCERT programme, I am very confident we are putting health and social care into a far better position than it has ever been in terms of cyber preparedness.”