Recognising potential cyber threats and implementing the necessary protection is crucial for preventing attacks on the health service.
There were 227 officially recorded breaches of data security in the NHS and local government in the first quarter of this year, according to government cyber security experts.
A survey by data safety campaigners Big Brother Watch (BBW) using freedom of information (FOI) requests revealed there were over 7,250 breaches in the NHS from 2011 to 2014.
Perhaps the most alarming occurred at NHS Orkney, where computers were infected by ransomware – a malicious piece of software which locks up systems until a ransom is paid to get them unblocked. Happily managers were able to restore files from back-up systems and so thwart the criminals.
The Health and Social Care Information Centre (HSCIC) – now NHS Digital – is bolstering NHS cyber security amid “mounting concern about attacks on health service data”.
NHS Digital is testing a national cyber security training platform which will provide e-learning on data security basics for all health and care staff alongside more complex modules for specialists which it says will ensure that people form the “first line of defence” in securing information.
Clearly this is an area where help is needed. In February 2015, in response to successive breaches of NHS data security the Information Commissioners Office (ICO) was given powers to force NHS authorities to be audited for compliance with the Data Protection Act. An earlier voluntary audit of 19 NHS and private care organisations by the ICO found that just one organisation offered high assurance of compliance, nine offered reasonable assurance, eight limited assurance, and one very limited assurance.
However the NHS IT Leadership Survey 2016 found just a quarter of IT directors thought data security issues were a “big threat” and “high risk”, and just under a fifth of chief clinical information officers thought the same.
Hans Allnut, head of DAC Beachcroft's cyber and data risk team, says there is growing realisation of the importance of cyber security. “Previously, 'cyber' was seen as the responsibility of the IT director. Cyber security should be a board level function as it has data protection and operational ramifications. What if an employee clicks on a link and downloads a ransomware demand, servers are encrypted and suddenly the operations have to be cancelled or test results cannot be seen?
“We have seen quite dedicated ransomware attacks on individuals but a lot of ransomware is low tech and unsophisticated; not targeting one specific hospital or healthcare provider, but as in the Orkney case, a spam email targeting whoever clicks on it – either way, the results can be devastating.”
For Allnutt, the Chelsea and Westminster example illustrates how one error can be proliferated at volume. “This sort of situation is only going to get worse as we automate and there is less human intervention,” he adds.
Allnutt stresses that the NHS must ensure that its supply chain is safe. Since 2014, all suppliers bidding for sensitive and personal information handling contracts must be certified against its Cyber Essentials Scheme.
“But it should not just be a question of doing these checks and satisfying yourself once a year – the cyber threat is an arms race – the threat keeps evolving.”
The BBW report found at least 50 instances of data being posted on social media, 143 instances of data being accessed for “personal reasons”, 103 instances of data loss or theft, 236 instances of data being shared inappropriately via email, letter or fax and at least 251 instances of data being inappropriately shared with third parties.
BBW and medical confidentiality campaigners medConfidential have argued that the Data Protection Act (DPA) should include tougher penalties for perpetrators of serious data breaches, and for anyone found guilty of knowingly committing a data protection breach to receive a criminal record.
BBW says this flaw in the DPA allows the potential for an individual who has already been found to have committed a data protection offence to gain employment that still allows them to access personal information.
Until these gaps area addressed BBW feels the DPA doesn’t represent a workable deterrent to those who are intent on illegally obtaining and disclosing personal information.
However, Phil Booth, Coordinator of medConfidential, is happy that Dame Ruth Caldicott's most recent report includes data protection.
"It is good news for all that boards will be required to take responsibility for digital hygiene, just as they do for clinical hygiene,” he said.
"Unlike credit cards, where you can cancel the card and the bank pays the bill; when health information leaks, especially online, it has leaked. It is knowledge that people have that they can then not 'unknow'.”
In March, the ICO published new guidance on preparing for the new General Data Protection Regulation (GDPR) which changes the way organisations collect, use and transfer data. The guidance sets out the 12 steps that organisations must address in preparation for the 2018 regulations.
Part of NHS Digital's response to cyber threat has been the creation of a new service providing expert advice and guidance on security threats and best practice to the NHS and other health and care organisations.
CareCERT (Care Computing Emergency Response Team) which launched in January aims to “enhance cyber resilience across the health and social care system”.
One of its initiatives is CareCERT Broadcast, an alert service that goes out to more than 10,000 health and care professionals with responsibility for information technology, security, networking and information governance, which has released 34 alerts since December 2015.
NHS Digital would not disclose details on the types of threat or their extent. The alerts, which come from sources inside the NHS and other agencies, provide real-time advice on cyber security threats, along with guidance for recommended proactive or remedial actions to reduce local cyber risk.
According to NHS Digital, “We want to empower organisations to be accountable for cyber security locally, but to support and enable them to improve and enhance what they do.”