Guidance from NHS England has outlined ways non-executive directors can contribute to keeping their organisation safe from cyber attack, with Jamie Saunders, non-executive chair of the NHS England Cyber Security Risk Committee, noting, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.”
The aim is to provide a resource to support, understand and deal with cyber security risks, and how external assessments provide insights, along with what questions to ask yourself, the board, and the questions the board should ask.
Some of the questions the guidance suggests board members reflect on include whether they are regularly involved in discussions around the level of cyber risk and “how much is prepared to invest to manage that risk”, whether they understand the cyber risk landscape/posture of the organisation, and how confident they are that everyone is aware of their responsibilities when a cyber incident occurs.
NHS England also suggests questions NEDs may wish to ask to support their understanding of cyber governance and risk management, such as whether an appropriate governance structure exists between the executive team and the cyber security function. It recommends asking about when the board last participated in cyber security awareness activities, how cyber security risk is integrated into wider business risks, how risks are presented in performance dashboards, and whether the board has reviewed data from the Data Security and Protection Toolkit.
From a board perspective, there are also questions that should be asked of network defenders, the guidance continues. These include how the organisation is being defended against common attack methodologies such as phishing, how the security of administrator, privileged or high access accounts are managed, and whether a lifecycle management routine for technology is maintained to protect against vulnerabilities.
Boards should also seek to understand how partners and suppliers are protecting information shared with them, how critical supply chains are resilient against disruption from attack, and the current status of organisational security culture. Assurance should be sought on backups and their reliability, as well as incident management and business continuity plans to check cyber risk scenarios are accounted for, and recent changes in legislation or regulations.
A link to relevant resources covers cyber governance code of practice, board level training, cyber essentials, DSPT, and more.
Wider trend: NHS cyber security
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
The government has published its Cyber Growth Action Plan, aiming to support innovation across the cyber sector, and outline up to £16 million in funding to help commercialise cyber research. As part of this, University of Bristol and Imperial College London’s Centre for Sectoral Economic Performance will be tasked with exploring the UK’s cyber sector and offering a roadmap for future growth, with the government noting that “this will culminate with a set of recommendations”.
The National Cyber Security Centre has shared four updates to the Cyber Assessment Framework, covering attacker methods and motivations, software maintenance, improved detection of cyber threats, and improved coverage of AI-related cyber risks. These changes are necessary in order to “close the widening gap between the escalated cyber threats to critical services, and our collective ability to defend against them”, the NCSC shares, encouraging system owners to adopt the latest version (4.0) to help support organisational cyber security and resilience.
