“Defend as one” Strategy released to protect the NHS from cyber attacks

The Department of Health & Social Care has released a strategy entitled ‘A cyber resilient health and adult social care system in England: cyber security strategy by 2030’, outlining plans to better equip the NHS in cyber security over the next seven years.

“In an increasingly digitised world, protecting [our] services from the disruptive impact of a cyber attack, alongside making sure that citizens’ data is protected, has never been more important. In short, the cyber security of our health and social care systems underwrites patient safety,” the foreword by Lord Markham, parliamentary under secretary of state, states.

The strategy envisions a health and social care sector resilient to cyber attack, with organisations better able to manage their cyber risk; better able to protect patient, service user and staff data; and be better equipped to respond and recover swiftly from cyber attacks. It adds that people’s trust in the sector’s digital systems should be increased as a result, so that technological innovations can be applied with confidence.

To achieve this, five pillars have been developed: to focus on the greatest risks and harms; defend as one; people and culture; build secure for the future; and exemplary response and recovery.

Focus on the greatest risks and harms

The strategy acknowledges that there are particular organisations, assets and services at national, regional and local levels that would cause “especially significant harm” if they were disrupted.

The desired outcomes in this category, by 2030, are for: a common understanding of risks and how they may vary to be shared across the sector; to increase visibility of the attack surface; for cyber security mitigations to be proportionate to the threat and potential harm; and for the powers under Network and Information Systems (NIS) regulations to be clearly understood and used proportionately to address cyber risk, improving the resilience of the most critical organisations.

To achieve this, national and regional cyber security teams will create a common language for measuring and recording cyber risk; develop and improve national capabilities to maximise sharing of information, services and products; gather data using national systems to build a system-wide threat picture; deliver analysis to better quantify patient and service user harm caused by cyber incidents; and regularly review standards to match changing risk profiles. They will also set clear minimum standards for areas identified as key risks, and perform a review of the implementation of NIS in the health sector.

Integrated care systems will identify and record risks within their ICS; engage with a plan at ICS-level to mitigate risks, invest and review progress; ensure that cyber risk is reviewed as part of broader risk management; and ensure that providers maintain an understanding of their suppliers’ cyber security controls and risks.

Defend as one

“We can and must do much more to use the size and interdependencies of the sector to its advantage and to keep pace with the evolving cyber criminals we know are targeting health and social care,” the strategy states.

It shares desired outcomes for 2030: for health and social care organisations to work in partnership on cyber security; for threat intelligence and detection across the NHS to be coordinated nationally for rapid response and alerting; for national teams to set clear expectations of leaders and boards on the risk they are held accountable for; and for leaders and boards to make full use of available services to respond to the greatest risks and harms for their organisation.

National and regional leaders will make clear roles and accountabilities to cyber risk across the sector; collaborate with partners across government, the care sector, commercial third parties, academia and local organisations to share learnings; provide central support to cyber security initiatives; provide and build on NHS-wide cyber security monitoring; and provide a health technology assessment and remediation service.

ICSs are expected to create an ICS-wide cyber security strategy; to allocate funding to deliver this strategy; and to align with agreed cyber security standards when using existing and new systems.

People and culture

The strategy says: “Managing cyber risk is a team effort; it is not something that can be done by national teams or by local cyber experts alone. It is essential that leaders across all organisations prioritise ensuring their staff are equipped with the skills and resources to address the cyber threat at all levels.” It adds that a ‘just culture’ of learning and collaboration will be essential in fostering this understanding and ownership across the system, so that staff are supported to be open about mistakes and can therefore learn from them.

In this section, desired outcomes by 2030 include the recognition of cyber security as a vital profession with health and social care; for the NHS to attract and retain a diverse cyber security workforce; for that ‘just culture’ to be championed across the system; and for everyone to understand their role in this area and act accordingly.

The strategy lays out a number of actions for national and regional cyber security teams, such as the need to clearly identify roles and responsibilities to manage cyber risk; to embed cyber security decisions into multi-disciplinary national and regional forums to ensure “a holistic cyber security culture”; for to deliver on a plan to grow the cyber workforce and embed the profession. In addition, they must ensure the right training and guidance is available, build on a community of shared learning and collaboration, and lead by example in implementing the ‘just culture’.

For ICSs, the document notes a need to develop an appropriately resourced and accountable cyber security function to manage cyber risk; develop strategies to recruit and maintain adequate cyber support function through a combination of ICS and organisation resources; embed cyber security decisions into multidisciplinary forums across the ICS; encourage collaboration across organisations to share good practice; and as above, lead by example with regards to the just culture.

Build secure for the future

“The health and social care system was not built with cyber security in mind, in terms of its organisational structures or its technology,” the strategy acknowledges. “This has exacerbated many of the sector’s biggest current security vulnerabilities.”

The document notes that we have an “opportunity to redesign these structures and technologies with security at their core” and adds that the health and social care supply chain “must become a key consideration.”

By 2030, the strategy sets out a vision for organisations to understand emerging risks and how to manage them; for the critical supply chain risk to be managed, with resilience increased; for new services, support and standards to be secure by design, and for standards to be underpinned by the Cyber Assessment Framework (CAF), clear, understood and aligned.

For national and regional cyber security teams this means working flexibly as new threats and requirements emerge, including developing horizon-scanning functions in anticipation. It means developing engagement with the most critical suppliers to assure their cyber security, developing pathways to improve communication with and across critical suppliers, and sharing guidelines to help organisations more consistently build security into new supplier contracts. In addition, they should embed the CAF into the Data Security and Protection Toolkit, making CAF the main cyber standard that organisations are held to, and work collaboratively with the local government to ensure that CAF incorporates the toolkit requirements appropriately for councils and their social care responsibilities. The strategy also states that teams should set out minimum expectations for IT lifecycle management across health, empower organisations across the system to build their cyber security in a way that works for them, identify and engage with teams and organisations embedding new cross-organisational technology to ensure that security is a consideration, and provide clarity on forthcoming policy in this area.

Looking at the role of ICSs, the document notes that they should build systems and services cyber secure by design; regularly engage organisations on compliance with standards and frameworks; and develop a cyber security programme underpinning the objectives of the strategy, with outlined milestones and metrics.

Exemplary response and recovery

“We know that in the modern world, cyber attacks are a case of ‘when, not if’, and the health and social care system is no exception,” the strategy says. “This means that we must ensure that every organisation across the system is equipped to minimise both the impact of a cyber incident and the time it takes to recover from it.”

There is just one desired outcome for this pillar: that by 2030, national, regional and local responses to a cyber incident will minimise the impact of a cyber attack on patient and service user care.

To achieve this, national and regional team should publish expectations for incident response and reporting; lead on national incident ‘dry run’ exercising with application and development of response and recovery plans; work with the National Cyber Security Centre to manage technical response to a sector-wide attack; deploy Cyber Security Incident Response teams where appropriate in the event of an attack; investigate and report on lessons learned from cyber events to drive improvements; develop national resilience with the impact of loss or unavailability of critical national systems; and work with national and regional emergency response and preparedness teams so that response and recovery planning is fed into broader response arrangements.

The role of ICSs is to outline responsibilities and expectations of member organisations for recovery and response, and ensure that the ICS and all members have a rehearsed plan for responding to and recovering from a cyber attack, as well as managing system downtime during the attack. They should lead on ICS-wide dry-run exercising, understand outcomes from those exercises, and develop central ICS resilience, with understanding around the impact of loss or unavailability of critical systems, and mitigations agreed for such circumstances.

Next steps

To deliver against commitments made here, the government will engage with organisations across the sector through various platforms and programmes.

National teams will publish an implementation plan, setting out planned activities over the next two to three years, by this summer.

By 2024, they plan to have further enhanced NHS England Cyber Security Operations Centre, developing a framework to support local security operation centres by 2024. A product map to map the most critical suppliers will also be developed by 2024.

By 2025, they will update the toolkit to reflect CAF, empowering organisations to own their cyber risk; provide funding for local cyber resource with national training support; and publish a data-led landscape review on the status of cyber security in adult social care.

To access the strategy in full, please click here.