ICO: Cyber security and the NHS
Source: NHE Jan/Feb 2019
Peter Brown, acting head of technology policy at the Information Commissioner’s Office (ICO), explains the importance of good practice in data protection and cyber security for the NHS, almost two years on from the WannaCry cyber-attack.
If you asked the average person on the street what they thought the worst consequences of a cyber attack would be, they would most likely think about stolen bank accounts or credit card details, identity theft, or that they’d probably have to reset their passwords (again).
However, bad actors aren’t always looking for things like financial gain or stolen identities – they can be motivated in many ways. Some set out to cause annoyance or inconvenience, others to cause real harm. They can be so-called ‘script kiddies’ up to state-sponsored ‘hacking collectives’ and everything in between.
Public sector organisations, like those in the NHS, may not always handle the same volume of customer or financial information that commercial and private sector counterparts do. However, they may process personal data that’s of a highly-sensitive nature, such as health information, known as ‘special category data’ in data protection law. This data carries a higher level of risk, and they cannot be complacent when it comes to cyber security.
This was starkly demonstrated by the WannaCry incident of May 2017, in which thousands of patients became collateral damage. WannaCry was a global ransomware attack affecting an estimated 200,000 computers in 100 countries. Although not specifically targeted at the UK’s hospitals, surgeries, and clinics, it affected a third of NHS trusts and eight percent of GP practices.
We know the attack caused the cancellation of almost 7,000 appointments, with an estimated 19,000 follow-ups also being affected. It cost the NHS £20m in just one week, with a further £72m spent on subsequent clean-up and IT upgrades.
Investigators later concluded that WannaCry was likely to have been the work of state-sponsored North Korean cyber-attackers – so, in this case, profit is unlikely to have been the motivating factor. However, the consequences were severe and eminently avoidable.
It later emerged that affected NHS organisations were using unpatched or unsupported versions of Microsoft Windows and were not appropriately managing their firewalls to ensure that their networks and systems were protected.
WannaCry quickly became the largest ever cyber attack to affect the NHS in England. A report by the National Audit Office (NAO) concluded that whilst the exploits used by WannaCry were technically advanced, the attack itself was relatively unsophisticated and could have been avoided altogether if NHS bodies had followed basic IT security good practice.
It’s important to note that whilst these measures are fairly basic, their implementation can be difficult within large, complex IT infrastructures such as those in the NHS. Nevertheless, the NAO report revealed that the Department of Health and Social Care was warned about the risks of cyber attacks a year before WannaCry – and although work was underway to mitigate these risks, the department did not provide a written report on its progress until July 2017.
Poor communication procedures also meant that local NHS organisations didn’t know how to respond appropriately to what was happening or who would lead that response, and the NAO said this was another key factor in the handling of the attack.
The NHS has accepted that there are lessons to learn from WannaCry. Since then, NHS England and NHS Improvement have written to every NHS trust, clinical commissioning group, and commissions support unit to ensure that they have taken account of all cyber alerts and implemented appropriate measures to deal with them.
Although it can be difficult to stay on top of all IT security issues in large organisations, particularly those of the size, scale, and nature of the NHS, data protection law requires that they take appropriate steps to protect the personal data they hold.
Since WannaCry, we’ve seen the introduction of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). These modernise data protection laws for the digital age, and strengthen not just the rules around how organisations process personal data, but also the rights individuals have in respect of that data.
One if its key principles is that personal data should be processed securely by implementing appropriate technical and organisational measures – the so-called “security principle.” However, this isn’t new – we’ve had a security principle since the first data protection laws were passed almost forty years ago.
“Appropriate security” depends on a number of factors, including the nature of the personal data an organisation processes, the risk the processing poses to the individuals’ rights and freedoms, the resources an organisation has, and the available tools to help protect that data.
This doesn’t mean organisations have to have the latest and best of everything – it depends on the circumstances of the processing. The key is that organisations take proper steps to ensure that the personal data they process is secure. Organisations wanting to know more about the GDPR’s security principle should read the section about security in our ‘Guide to the GDPR.’
We’ve also worked closely with the National Cyber Security Centre, the UK’s technical authority on cyber threats, in developing a set of security outcomes organisations can use when trying to determine the measures that are appropriate for them. These include:
- Managing security risk – having appropriate organisational structures, policies, and processes to manage security risks to personal data;
- Protecting personal data against cyber-attack – having appropriate security measures that cover both the personal data that’s processed, as well as the systems that process it;
- Detecting security events – monitoring the status of systems processing personal data, and ensuring that unexpected events can be acted on in an appropriate timeframe;
- Minimising the impact – restoring systems and services, managing incidents appropriately, and learning lessons for the future.
There are many things organisations can do quite easily, like keeping IT up-to-date, ensuring staff are appropriately trained (e.g. to spot phishing emails), managing user access, and getting certified under the Cyber Essentials scheme.
However, security isn’t just a legal requirement – it supports good data governance and helps demonstrate compliance with data protection law. We’ve seen that poor security can cause real harm and distress to individuals, and the law says they are entitled to be protected.
Building a culture of security awareness goes a long way towards providing that protection, but it’s only the beginning. Developing a framework for strengthening information rights, working with your partners to implement it, training your workforce to use it, and talking to your patients about it, are all important steps in this journey.
Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!