How NHS Digital is meeting COVID-19 cybersecurity challenges

Earlier response to the WannaCry crisis has helped create an infrastructure where UK healthcare organizations get better security support and threat intelligence

stethoscope mobile healthcare ipad tablet doctor patient

The UK’s National Health Service (NHS), a unified healthcare organization with a broad collection of moving parts, is working to provide a good cybersecurity baseline for the groups it supports during the COVID-19 crisis. That effort is complicated by limited budget and the need to deliver healthcare services without disruption. New support services and a reformed WannaCry-inspired approach to security is helping them meet that challenge.

Each NHS trust has its own board, priorities and IT organization; under the trusts are hundreds of general practitioner (GP) offices, social care facilities, pharmacies and other healthcare services and providers. The level of cybersecurity maturity among those entities varies, says John Noble, non-executive director at NHS Digital. “The requirements for a GP practice are very different from that of an acute trust, and you've got this classic problem in healthcare, as you have in any organisation, [around] getting that balance between security, cost and usability.”

Failed NHS centralization, WannaCry showed security flaws

Previous efforts to balance centralization versus independence, have left the NHS with burned fingers. The 2003 NHS National Programme for IT proposed a single, centrally mandated electronic care record for patients and healthcare organizations. Dubbed in the UK press as “The greatest IT disaster in history,” the project was cancelled in 2011. That failure led to the NHS leaving each trust to mind its own IT infrastructure.

The impact of WannaCry on the NHS showed that the independent model had major issues. The 2017 ransomware attack affected at least 81 of 236 NHS trusts as well as 603 primary care and other organisations, including 595 GP offices. Some 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – were affected while patient data and email services were unavailable. Cost estimates for the attack have been pegged at around £92 million. 

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.