Protecting the NHS from Cyber Attacks

beugdesign - Stock.adobe.com

On 22 March 2023, the government of the United Kingdom (UK) published its strategy to promote cyber resilience across health and social care by 2030. The Cyber Security Strategy for Health and Adult Social Care denotes that cyber security is a key aspect of improving patient care and the safety of frontline staff, designed to build trust and in turn, foster innovation (1).

Given that cyber security underwrites public trust in digital services and technologies, the new cyber strategy sets out a vision for reducing the cyber security risk to health and social care organizations across the Department of Health and Social Care (DHSC), National Health Service (NHS) organizations, local authorities, independent social care providers, and suppliers—which includes pharmaceutical manufacturers. The strategy aims to protect patient, service user, and staff data, as well as implement measures to ensure organizations can recover quickly from cyber-attacks when they do occur.

As contained in the government’s policy document, the strategy includes the following five key pillars:

• Focus on the greatest risk—identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function.
• Defend as one—uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimizing disruption.
• People and culture—building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognized, and relevant cyber basics training is offered to the general workforce.
• Build security for the future—embedding security into the framework of emerging technology to better protect it against cyber threat.
• Exemplary response and recovery—supporting every health and care organization to minimize the impact and recovery time of a cyber incident (2).

The pillars and this strategy’s implementation plan are underpinned by the Cyber Assessment Framework (CAF) (3), which is the National Cyber Security Centre’s (NCSC) standard, designed for organizations responsible for vitally important services and activities.

The growth of technology and the crucial role of effective cyber resilience

In an increasingly digitized health and social care system, technology is transforming how people access health and care services, as well as information. In primary care, technology includes patient booking systems, call and recall facilities, and electronic prescription services. In secondary care, technology includes diagnostic machines such as imaging scanners, and electronic systems that inform hospitals of the number of free beds available. For adult social care organizations, it is technologies such as digital care records and acoustic monitoring systems that facilitate more integrated care.

The DHSC estimates that, in England, there are approximately 950,000 general practice appointments conducted daily, 45,000 major accident and emergency (A&E) department attendances, and 137,000 imaging events recorded (2). Furthermore, it also estimated that more than 40 million people in the UK now have an NHS login, which helps them to book appointments, track referrals, and order medications online; while over 50% of social care providers use a digital social care record, that enables staff to share vital information about the people they care for (1).

While it is unlikely that a cyber incident would bring down all the hundreds or even thousands of separate systems that support direct care, interdependencies between systems imply that the UK government must account for at least some degree of cascading risk, since the scale of impact—both direct and indirect—from a cyber-attack on the health and social care sector has the potential to be far-reaching and large in nature.

Threats to England’s health and social care sector

The Department for Science, Innovation and Technology’s Cyber Resilience Policy defines cyber resilience as “the ability for organizations to prepare for, respond to and recover from cyber-attacks and security breaches … with cyber resilience the key to operational resilience and business continuity” (2).

The health and social care sector encounters cyber threats every day, which include phishing and other malicious emails, automated scanning for common software vulnerabilities, and attempted fraud (4). Of these, phishing and malware are recognized as low-sophistication ‘commodity attacks’ that are used by a wide range of cybercriminals. Data derived from NHS England’s Cyber Security Operations Centre (CSOC), which provides real-time protection against any suspicious activity to approximately 1.7 million devices across the NHS network, estimates that approximately 21 million malicious emails are blocked every month (1).

However, the most significant cyber threat the healthcare sector faces is ransomware, which is used in profit-seeking attacks, often staged by organized criminal groups or state actors (3). Such attacks can cause a complete loss of access to clinical and administrative information technology (IT) systems, resulting in significant disruption in day-to-day operations. This, together with the increasing proliferation and commercial availability of ‘ransomware as a service’, now implies that attacks are not just limited to sophisticated groups. According to the NCSC, ransomware attacks are increasingly seen to include data theft and extortion with a threat of data leaks (3). Furthermore, ransomware and other cybercrime have also become a significant threat to third-party suppliers (which includes pharmaceutical manufacturers), an attack on whom can cause as much, or more damage and disruption as an attack directly on a health or care organization (3). For example, in October 2020, Philadelphia-based company eResearchTechnology, which manufactures software used to develop COVID-19 vaccines and treatments was hit by a ransomware attack (5). Employees were locked out of systems and the attack had a knock-on effect that was felt by IQVIA, the research organization assisting UK pharmaceutical firm, AstraZeneca’s COVID vaccine trial, and US pharmaceutical major, Bristol Myers Squibb, which was involved in the development of a quick test for COVID-19 (5).

According to the UK government’s recently published policy paper outlining the new cyber security strategy, “all these threats pose risk not just to patient and staff safety, but also to public trust in a health and social care system that can and must safeguard people’s data” (2). It is therefore vital that the sector continues to adapt and improve its cyber resilience against these evolving threats and retain the confidence of the public.

UK healthcare sector vulnerabilities

The strategy also identifies several other challenges, including:

• High operational pressures. The healthcare sector comprises varying working environments and high operational demand with many systems required to run 24/7, presenting a challenge of how to address competing risks, priorities, and pressures.
• Large, complex, and autonomous sector. The size and diversity of the sector make it challenging to set standards that can be applied uniformly.
• Supply chain vulnerabilities. The health and social care supply chain are complex because providers each use many suppliers, who in turn have their own supply chains, thereby creating multiple layers of risk.
• Unclear accountability and ability to influence. Where accountability for cyber risk is unclear, there must be clear messaging to boards and leaders that they are accountable for their organization’s cyber security, while at the same time, highlighting the responsibility that cyber professionals have for delivering in this space.
• Limited cyber workforce. A UK-wide shortfall of cyber professionals makes it challenging to hire and retain the experts that are needed to support leaders and staff in improving their organizations’ cyber security.
• New digital, data, and technology. The pace of growth and development in the digital, data, and technology space makes it challenging to assure the effective cyber security of new products.
• Legacy technology. As new technology is developed; it can be challenging to monitor and replace older technology as it becomes outdated and more vulnerable to cyber-attacks (2).

Looking ahead

Later this year, a full implementation plan will be published setting out activities and defining metrics to build and measure resilience over the next two to three years. National cyber security teams will work closely with local and regional health and care organizations to achieve the visions and aims of the strategy. The work will include enhancement of the capabilities of NHS England’s CSOC; publication of a comprehensive and data-led landscape review of cyber security in adult social care; and an update to the Data Security and Protection Toolkit to empower organizations to own their cyber risk.

References

1. DHSC. Government Sets Out Strategy to Protect NHS from Cyber Attacks. Gov.uk, Press Release, 22 March 2023.
2. DHSC. A Cyber Resilient Health and Adult Social Care System in England: Cyber Security Strategy to 2030. Gov.uk, Policy Paper, 22 Mar. 2023.
3. NCSC. NCSC CAF Guidance. Published 30 Sep. 2019. Reviewed 11 April 2022. Version 3.1.
4. Ghafur, S.; Fontana, G.; Martin, G.; et al. Improving Cyber Security in the NHS. Institute of Global Health Innovation. Imperial College London, 2019.
5. Tambe, D. Major HNS Supplier hit by Ransomware Attack. Confidence IT, Blog Post. 17 Aug. 2022.

About the author

Bianca Piachaud-Moustakis is lead writer at Pharmavision, Pharmavision.co.uk.

Article details

Pharmaceutical Technology Europe
Vol. 35, No. 5
May 2023
Pages: 7–8

Citation

When referring to this article, please cite it as Piachaud-Moustakis, B. Protecting the NHS from Cyber Attacks. Pharmaceutical Technology Europe, 2023, 35 (5), 7–8.