We took a trip to Rewired this week to listen to insightful talks on various digital healthcare topics and chat to health tech professionals from the NHS and beyond – here, we’ll share some of our main takeaways from the cyber security stage.
First up, we listened to Professor Daniel Ray, chief technology officer at Birmingham Women’s and Children’s NHS Foundation Trust and professor of health informatics at University College London, as he discussed how the trust handled an outage that took place in August 2022.
Daniel explained how the trust covers three sites, and in August that year the organisation that hosted their mental health system underwent a cyber attack and went down. With it becoming apparent that the outage would last for some time, Daniel highlighted the importance of sitting down with clinical services to identify the core functionality required to run those services as needed, in order to still deliver care for patients.
Documenting decisions throughout the process was key, he added, so that each decision could be explained at the required levels.
He shared how the trust has since implemented mandatory training that is updated on an annual basis. Staff members are given three reminders to complete the training, and if they don’t complete it within the necessary timeframe, their account is locked out of the system. Daniel’s team have also delivered educational materials on up-to-date cyber threats for staff, as part of efforts to raise awareness and engagement.
Additionally, since the outage, Daniel described how the trust has started to hold unannounced ‘hack days’, whereby they simulate what would happen if systems went down. Initially, he said, there was a sense of alarm; but as awareness has progressed, more recent hack days have been focused on delivering a slick recovery process instead with a stronger sense of confidence from staff.
On the supplier side, Daniel encouraged trusts to get third party assurance that structures maintain up-to-date security standards; in Birmingham, he said, they have developed an “intensive” security questionnaire which suppliers must complete in order to work with the trust, and they are required to supply evidence on how they meet those standards.
As a final comment, Daniel emphasised that it is “invaluable” to have 24 hour eyes on the system.
We also listened to Alun Kime, cyber security contracts manager at Digital Health and Care Wales, and Ed Trimbee, regional cyber crime unit manager at West Midlands Regional Cyber Crime Unit, as they discussed how organisations can assure the resiliency of their supply chain.
Alun reiterated Daniel’s point about needing to gain assurance from suppliers; he encouraged organisations to review obligations with their suppliers and ask them to perform tests to provide that assurance.
Acknowledging that it is often very complex to untangle existing contracts and commitments with organisations often having relationships to maintain with a number of different suppliers, Alun stated that “the future is the chance to put things right”. He encouraged all procurement needs to undergo thorough assessment and emphasised the importance of getting the contract right. It should include the need to define security requirements from the very start, he said, as well as other elements such as the right to audit and an exit strategy.
Summarising his key messages, Alun accepted that it isn’t an easy situation for any organisation; it is a long-term change process that needs to be adaptive. He recommended that organisations take a proactive approach, to develop their relationship with procurement and commercial services, and to “do due diligence throughout the life cycle”. Other tips included prioritising systems based on business impact and defining security roles and responsibilities.
Ed picked up on these points, adding that a key message is to start now rather than waiting until later. He emphasised that organisations need to develop their understanding of what needs to be protected and why; to know their suppliers and what their security looks like in enough detail; and as such to develop their understanding of the risk coming from their supply chain.
In terms of where to look for guidance, Ed pointed to three key resources – the data security and protection toolkit, the National Cyber Security Centre’s cyber assessment framework, and also their supply chain security guidance.