NHS Digital on cyber-attack: “We can be better prepared”
- 14 June 2017
NHS Digital admits the organisation could have done better during the global cyber-attack that crippled parts of the NHS last month.
Speaking at NHS Confed ’17 on Wednesday, NHS Digital’s acting chief executive, Rob Shaw said that better communications could have been provided earlier.
“There is a lot of negative press and publicity against us but in my opinion we did really, really well and the local organisations coped really well…but we can be better prepared and we can also make sure we in the centre, provide better communications earlier and make sure we give advice.”
Addressing the audience of industry professionals in Liverpool, Shaw spoke about NHS Digital’s role in cybersecurity, services they provide on this front and the importance of communication, education and training healthcare staff.
NHS Digital’s head of security, Dan Taylor, explained it’s all about the people.
“We need to invest in our people more and help them to make them good and better decisions; whether it be someone on reception, undergraduate coordinator, award sister, senior manager -they need to understand what their role is in securing the data of our patients”, Taylor said.
“People talk about, people, processes and technology, but if you’ve got a misconfigured firewall which may have happened in the recent attack that allowed that ransomware in, it’s individuals who make the decisions.
“It’s making sure they have the capability and training and at NHS Digital we are trying to make that happen.”
The cyber-attack that was caused by WannaCry ransomware affected 47 trusts, leading to some diverting ambulances, cancelling operations and staff reverting to pen and paper.
Taylor called out for feedback in how they can help to make that happen across the system.
“We need to make sure our own people understand their personal responsibilities; what to click, what not to click, but also we need to take responsibility as leaders to understand this is a leadership and agenda item.”
During the May cyber-attack, NHS Digital had setup a helpline which was adopted by Papworth NHS Trust. Admittedly, Taylor said it could have been communicated better in terms of informing people of the service.
Papworth, who experienced two cyber-attacks in 12 months used the service on both occasions and found it to be very helpful.
However, Jane Berezynskyj, Papworth’s IT director, said while they found NHS Digital to be very responsive, they would like to see more advice going forward.
“What we would value more; yes, you dealt with an attack, yes you dealt with it appropriately, but here’s some of the things we suggest you do to counter this going forward”, Berezynskyj said in a video interview at the forum.
She said other trusts should take advantage of the services NHS Digital offer. “As customers, we can help influence how that service is delivered.”
NHS Digital will be conducting free data security onsite assessments this year – “We come, we listen we evaluate and we give you options on how you can improve your services – and it enables us to see where the problems are and from that information we can create guidance and information so other organisations can take that and implement it.”
Taylor said the more they are told the more they can communicate across the system.
“That top down, one size fits all doesn’t work and from a security point of view we need to make sure the services we deliver are tailored in a way that locally can be used and adopted.”
Shaw had previously addressed NHS Digital at its 31 May board meeting, and referenced the initial communications from the organisation and the 24/7 specialist helpline.
“It was obviously paramount to have clear, substantiated evidence of the issue and an accurate understanding of what steps were best to take before communicating with organisations”, he told the board.
Follow Digital Health News’ reporter @DHShireenKhalil for live NHS Confed updates.