South West London ICB’s latest Cyber Security Strategy has set out six objectives to be achieved by 2030: strengthening governance, managing risk, understanding critical systems and suppliers, prevention and resilience, detecting and responding to threats and incidents, and embedding cyber awareness and culture.
Martin Ellis, the ICB’s CDIO, emphasised that as the system’s digital transformation progresses, “security must be embedded in everything we do”. He added: “This strategy ensures that our digital initiatives are built on a strong and consistent foundation of cyber security, safeguarding patient data, critical systems, and the trust our communities place in us.”
Informed by cyber assessments of NHS provider organisations and lessons learned from recent NHS cyber incidents, along with “key takeaways” from the ICB’s system-wide cyber incident simulation exercise, the strategy is designed to align with the revised Data Security and Protection Toolkit (DSPT) and national guidelines.
Success, according to the ICB, means clear accountability for cyber security across all levels of governance, a centralised repository of critical systems and suppliers, a user base better aware of cyber risks and supported by cyber professionals, consistent implementation of foundational cyber controls, and unified threat detection and response capabilities to reduce the impact of cyber incidents. Alignment with the DHSC cyber security strategy will see SWL promoting a unified approach to identifying and managing cyber risks, installing comprehensive asset management tools, and scaling security measures based on risk assessments to protect critical systems.
The ICB talks about strengthening partnerships between its provider organisations to allow the sharing of data, resources and best practices; outlining clear accountability for cyber risks; and integrating with national threat intelligence networks to ensure quick detection, response, and communication of cyber threats across the sector. Championing workforce training and responsibility, managing critical supply chain risk, designing new services and technologies with security in mind, and implementing tested recovery plans to restore services will also be key features of the ICB’s approach.
The strategy notes that governance is siloed within IT and digital teams, “limiting its reach and effectiveness”, leaving gaps and failing to address broader risks across clinical, operational, and data management domains. Recent cyber assessments such as the CIS critical security controls (CSC) level two and NCSC CAF highlighted areas requiring improvement, including cyber governance, risk/asset management, data security, monitoring/incident response, and recruitment/retention of skilled cyber professionals. Also noted are funding constraints limiting the ICB’s ability to invest in improvements to cyber maturity, to attract cyber professionals, or to deliver consistent training.
Management of critical systems and suppliers is an area identified as “fragmented” and lacking in centralised oversight in SWL. The ICB looks to enhance resilience and security by establishing a central repository of systems and suppliers, improving how interdependencies between systems and services are understood, and offering increased opportunity to leverage economies of scale. To achieve this, it highlights an interdependency mapping exercise and impact analysis, along with the development of a joined-up supplier management and engagement framework.
Talking about gaps in collective resilience, SWL notes that prevention and resilience capabilities vary across the system, with some providers being more advanced than others, and with incident response and recovery plans lacking consistency. By defining and implementing minimum standards, agreeing on a support model for risk mitigation and “compensating controls”, and establishing a plan for ongoing monitoring and assurance; the ICB hopes to establish a baseline, ensuring all providers have controls such as endpoint protection, MFA, and business continuity in place. Centralised threat monitoring and response would help advance SWL’s detection and response capabilities, whilst incident response plans could be aligned for effective coordination, along with regular simulation exercises.
SWL looks to current cyber awareness and culture, identifying inconsistencies in cyber training provided across the system and a lack of standardisation impacting staff moving between organisations. “Uncompetitive financial benefits and lack of incentives when compared to other industries” affect the ICB’s ability to attract and retain a skilled cyber workforce, it adds. Standardising cyber training and awareness, creating a cyber training and awareness plan, conducting a training needs assessment, creating a process whereby training compliance can be tracked, and promoting a “unified understanding” of cyber risks and responsibilities across the ICB will be key to moving forward.
The ICB also outlines roles and responsibilities across SIRO, board exec, CDIO, CCIO, CISO, and cyber leads. The CDIO role will include overseeing the system’s cyber security investment and budget, ensuring alignment of cyber security, and owning system digital risks. The CCIO will be required to lead on the integration of cyber security into digital health initiatives, to safeguard patient data and system integrity, to ensure security measures are “seamlessly embedded” into clinical workflows, and to advocate for a cyber security-conscious culture. All staff will be expected to take personal responsibility for assets within their control, comply with relevant policies and standards, report risks and incidents, and be a cyber champion for the organisation.
Wider trend: Cyber security and strategy across the health sector
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
The government has published its Cyber Growth Action Plan, aiming to support innovation across the cyber sector and provide up to £16 million in funding to help commercialise cyber research. As part of this, University of Bristol and Imperial College London’s Centre for Sectoral Economic Performance will be tasked with exploring the UK’s cyber sector and offering a roadmap for future growth, with the government noting that “this will culminate with a set of recommendations later this summer”.
Cyber asset intelligence company Axonius has acquired cyber security specialists, Cynerio, for over $100 million, with plans to create a single, unified platform that will be “capable of securing the entire clinical environment”, including critical IT infrastructure. The acquisition aims to create a “single source of truth” for healthcare providers, helping to secure the entire clinical environment by combining the expertise of both companies. Covering a range of technologies and systems across IT, cloud, SaaS and clinical networks, the single platform has been proposed in response to “growing customer demand” the suppliers noted.
