£150 million will be spent on NHS cyber security over the next three
years¸ reducing the impact of an attack, announced the Department of Health and Social Care.
The department has announced a new multi-million pound Microsoft security package that will ensure all health and care organisations can use the most up-to-date software with the latest security settings.
Under the new security plan, NHS Digital will have near real-time capability
to respond to cyber-attacks. Systems
will have increased resilience to attacks, and unsupported Microsoft systems in
the NHS will be a thing of the past.
Cyber attacks are a real and growing threat to healthcare organisations, and they have become a top priority for the UK Government. On May 12, 2017, the WannaCry cyber-attack affected a wide range of countries and sectors, including at least 80 out of 236 NHS trusts and a further 603 primary care and other organisations, including 595 out of 7,454 general practices.
Since 2017, the Government has invested £60 million to address key cyber
security weaknesses. Organisations across the industry have commended the
increased investment for the next three years, which will enable NHS Trusts to
benefit from enhanced security intelligence.
Sarah Wilkinson, Chief Executive at NHS Digital said: “We welcome the
Secretary of State’s commitment to prioritise cyber security. The new Windows
Operating System has a range of advanced security and identity protection
features that will help us to keep NHS systems and data safe from attack. This
is one of a suite of measures we are deploying to protect the service from
cyber attack.”
Windows Defender Advanced Threat Protection will feed into a central NHS
Security Operations Centre, creating a centralised, managed, and coordinated
framework for the detection of malicious cyber activity and visibility around
how threats try to move across the organisation. The service will use
Microsoft's vast telemetry sets, advanced analytics, and expert human analysts
to reduce the likelihood and impact of security breaches or malware
infection.
At a local level, individual trusts will have the ability to detect
threats, isolate infected machines and kill malicious processes before they are
able to spread.
Another area of investment includes £21 million on upgrading firewalls
and network infrastructure at major trauma centre hospitals and ambulance
trusts. The aim is to improve security at key emergency sites and protect
technology such as MRI scanners and that used for blood test analysis.
The Department has launched a Data Security and Protection Toolkit which
requires health and care organisations to meet 10 key standards, including
appointing a senior executive to oversee data and cyber
security. Meanwhile, new powers have been given to the Care Quality
Commission to inspect NHS trusts on their cyber and data security capabilities
in conjunction with NHS Digital.
£39 million has been spent this year by NHS trusts to help them address
infrastructure weaknesses which prevented them from fully implementing
solutions to address all historic cyber alerts.
Health Secretary Jeremy Hunt said: “We know cyber attacks are a growing
threat, so it is vital our health and care organisations have secure systems
which patients trust.
“We have been building the capability of NHS systems over a number of
years, but there is always more to do to future-proof our NHS against this
threat.
“This new technology will ensure the NHS can use the latest and most
resilient software available – something the public rightly expect.”
Cyber security across all organisations is a top priority for the UK
Government, which is why it is investing £1.9 billion in the National Cyber
Security Strategy and opened the National Cyber Security Centre (NCSC), which
manages around 60 serious attacks every month.
Improved resilience to attacks achieved through the new plan will help
to protect the NHS system and patients within it. The UK’s Royal Academy of Engineers has warned
that hackers could kill patients by attacking their wearable health monitors,
such as pacemakers and heart pumps.
Wearable health monitors that are linked to the internet or internal
computer networks could provide a gateway for hackers to plant ransomware into
systems, which threatens victims if ransoms aren't paid.
Professor Nick Jennings, a fellow of the Royal Academy of Engineers and Vice Provost atImperial CollegeLondon said: “We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly.” With cyber threats increasing, investments in security will need to keep up with hacker innovation.