NHS warned it is not taking hacking threat seriously enough

Kingsley Manning told HSJ it was a “common problem” that the issue “does not make it into the board room”, partly because not enough chief information officers are on trusts’ boards.

He said: “We’ve made good progress. But am I comfortable about the level of understanding in the boardroom? No. This is an issue that non-executive directors, chairs, financial directors need to see, not just as a theoretical possibility but as a fundamental threat to the operations of their hospitals.

“The threat is real, present, widespread. Everyone is going to have to face up to it, but I think [the NHS is] well ahead of the game.”

Mr Manning was speaking to HSJ ahead of his departure at the end of the month. He will be replaced by NHS England non-executive director Noel Gordon from June.

Mr Manning’s warning follows an HSCIC report in March which set out proposals to address the threats to cyber security. The report said cyber security “is recognised as a top level tier one risk by government and established as one of the key risks which executive boards are now considering as core to their business strategy and management”.

Its proposals, many of which require fresh funding, included a “national incident fund” for system wide attacks, a new “on-site assurance scheme” for health organisations designed to assess ‘cyber readiness’ and a “cyber readiness technology fund”.

Mr Manning initially set up a cyber security review in 2013. Developments to date include the establishment in September of the Care Computing Emergency Response Team, known as CareCERT, to help organisations affected by cyber crime.

He said: “That is something we are very proud of. We, the health system, are now recognised as being at the forefront of tackling cyber security across the whole of government. Without going into detail, we have dealt with very serious attacks on the system over the last year or two. The fact those are not common knowledge or widely understood is testament to how well they have been dealt with.

“The NHS system gets the same level of attacks [as] the wider commercial sector. That’s millions of attacks across the system. A phenomenal number.”

He said chief information officers were “well engaged [but] we still have a large number of computers running unprotected [Windows] XP across the system, which is a huge worry”.

He added: “I am very pleased about what we’ve done and the support from the [Department of Health]. The new information governance toolkit, Dame Fiona [Caldicott’s] report [on data sharing], and incorporation into the [Care Quality Commission] inspection regime will hopefully mean that every chief executive, NED and chair will understand this is a real and growing problem.”