In March 2023, the UK Government announced the launch of a new strategy to boost NHS cyber resilience across the entire health service by 2030. We know that seamless analysis and sharing of data are widely recognised as central to a digitally-enhanced health service. However, at a time when the number of cyber-attacks on the NHS and other public bodies is growing, the need for greater security and connectivity is paramount. We spoke with Dr Michael Quinn, Consultant Physician, Belfast Trust - Informatician QUB and a member of the Clinical Advisory Board at BT, to gauge his thoughts on the five key themes set out by the strategy and what it means for the delivery of healthcare:
Reaction to the UK government’s NHS cybersecurity strategy
1) Identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function.
In the delivery of healthcare, sensitive information is collected at every point throughout the patient's journey. Crucially, the information shared is often extremely sensitive and personal – far more so than in heavily-regulated areas like finance – and so should be protected at all costs. In fact, protecting personal information should be paramount and a core pillar for the NHS now more than ever.
There are two main reasons for this. Beyond the inherent risk behind losing personal information from a privacy perspective, there is the possibility that the information will be unavailable to healthcare providers when the patient becomes sick. A prominent example of this is when the Irish Health Service was targeted by a ransomware attack in 2021. This means that the care needs to start at the beginning again without the benefit of the retained and recorded notes in the system that enable more efficient and effective care.
In the long term, this leads to a lack of trust from patients and an incredible amount of disruption and duplication of work for clinical staff. In short, if cybersecurity is not taken seriously patients will receive a lower standard of care.
2) Uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimising disruption.
One of the holy grails of integrated healthcare systems is the possibility that data and, therefore, the clinical workflow, follow the patient across different settings of care. In many circumstances, the only way that this has been achieved is by using the same login details and therefore a unified security approach.
This is, unfortunately, very uncommon in healthcare – quite often, I have seen multiple and occasionally hundreds of disparate systems involved in the delivery of care to just one individual. When carers have to navigate their way through multiple systems, it is much more difficult to deliver care that is consistently of a high standard.
This makes protecting the overall journey of care far more difficult than it needs to be, so I’m pleased the NHS is putting steps in place to plan for the future of integrated care services. This allows clinical staff practicing in different areas to have seamless, integrated log-in details to the multiple systems required to do their job. So far, doing this in a scalable way has proven difficult, and one of the major hurdles has related to interoperable systems using solutions like single sign-on.
3) Building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognised, and relevant cyber basic training is offered to the general workforce.
Sometimes, the NHS is thought of as simply a collection of a clinical workforce, but this couldn't be further from the truth. In fact, the entire infrastructure upon which the NHS is built relies on people from multiple backgrounds, particularly in terms of infrastructure and technology. Almost every service at our disposal now has a digital component, and those components are just as important as the wards in the hospital or the clinic and outpatient appointments.
In fact, BT’s recent survey of NHS staff found that 28% saw a lack of adequate skills and training as a barrier preventing them progressing their organisations’ digital transformation efforts in the next few years. What’s more, 49% said the standard of technology at work was a source of stress.
It’s for this reason that we need a greater number of people who have the skills, interest, and desire to provide the right kind of technological support and security for our healthcare technology sector.
Ultimately, it's down to leaders within healthcare and those within the integrated care services and trusts to prioritise this training and ensure that their workforce sees it as important rather than just an optional ‘tick box’ exercise.
4) Embedding security into the framework of emerging technology to better protect it against cyber threats.
The framework articulated by this report outlines a very promising and straightforward methodology for providing the most effective protection for patients as they pass through our healthcare system. However, the link between the clinical provision of care and the systems that collect and collate the data must be understood, which explains why we need to be cognizant of emerging technologies and the risks posed by cybersecurity threats within the NHS.
As our environment becomes ever more technical and digital, these risks escalate. Therefore, the infrastructure and underlying embedded security needed must also increase in turn - the two go hand in hand. In the same way we train clinicians to practice at the highest possible level, we must ensure that our other staff are brought to the highest possible level of cybersecurity understanding.
5) Supporting every health and care organisation to minimise the impact and recovery time of a cyber incident.
One of the things that is still most poorly understood is what to do when a cybersecurity event occurs within a healthcare environment. Often, we have become so dependent on software systems that the only mechanism to continue is to return to the ‘paper and pen’ approach. In many cases that still works, but it does not allow organisations to rapidly respond. They need to have a back-up plan to ensure that their current level of delivery is unaffected. Given the myriad of systems that exist, it only takes one or two to be compromised before the entire unit becomes unusable for threat of malware infiltrating an organisation that is currently secure.
Therefore, systems engineers within trusts and organisations that provide NHS software must consider architectural pathways that account for what happens if they are compromised from a clinical safety perspective. The current default is to think about software safety and how the information can be locked down, protected, and not used. However, what if we have to use it regardless? In healthcare we often need to use data with regards to direct clinical care - locking down data cannot be considered a reasonable mitigation.
Detailed and complex planning arrangements need to be made. The NHS needs help with that from companies and partners that have been there before and have designed infrastructure able to withstand cyber events more effectively.
How BT is helping?
BT is facing the issues discussed here head-on through the introduction of the Clinical Advisory Board, on which I sit - this helps to ensure each technology decision is driven by the real-life everyday challenges clinicians face.
Co-creation is then also fuelled by BT’s Vanguard Programme. Through our close relationship with NHS trusts, we’re working with them to understand specific needs so together we can build smarter, more efficient and crucially safer services that truly deliver greater patient outcomes.
“BT’s security team protects UK Critical National Infrastructure, and is relied upon by the UK government, the NHS, armed forces, emergency services, air traffic control and many other critical organisations. We also provide managed security solutions to some of the world’s largest companies across 180 countries, giving us a truly global reach and insight of the cyber landscape.
Get in touch To discuss any of these topics in more detail, please feel free to comment below and get in touch with us at [email protected], or via our website.”
Michael Quinn, Member of the clinical board
