Government Launches NHS Cyber Security Strategy

NHS commitment. Government launches seven year cyber security strategy for the health and adult social care sectors

The Government has set out its cyber strategy for the NHS to build “cyber resilience in health and adult care by 2030”.

The announcement plan includes 5 key ways to bolster the NHS cyber credentials, to “protect health and adult social care functions and services, which the whole nation depends on.”

The NHS and its suppliers have had to deal with a number of cyber challenges in recent years. For example in August last year NHS digital supplier Advanced admitted a ransomware attack was responsible for disrupting the NHS’ 111 services.

© Monika Wisniewska -

NHS cyber attacks

But perhaps the most famous cyber incident for the NHS took place in 2017, when the “relatively unsophisticated” WannaCry ransomware outbreak devastated large swathes of the NHS, as well as many organisations and businesses around the world.

Attacks against healthcare providers are still ongoing, as evidenced by the recent ransomware attack on a major hospital in the Spanish city of Barcelona.

In 2019 a whitepaper from Imperial College London warned the NHS remains vulnerable to hackers. The whitepaper blamed outdated computers, lack of investment, and sparsity of skills, which meant the NHS remained vulnerable to hackers.

In December 2018 freedom of information requests by Redscan revealed that nearly a quarter of NHS trusts had no staff with security qualifications.

And a quarter of NHS trusts spend absolutely nothing on cyber-security training.

NHS cyber strategy

But that may hopefully change as the Government set out its cyber security strategy for health and adult social care.

The government acknowledged that technology is transforming how people access health and care services and information.

It pointed out that over 40 million people now have an NHS login, helping them book appointments, track referrals and order medications online.

Indeed, over 50 percent of social care providers now use a digital social care record, helping staff share vital information about the people they care for.

The government said that as digital systems are adopted to improve health and care services for people across the country, it is vital the health and care sector has the tools it needs to better protect patients’ information.

“This new strategy will ensure health and adult social care organisations across England are set up to meet the challenges of the future – from identifying areas in the sector which are most vulnerable, to better utilising resources and expertise across the country to defend against cyber attacks,” said the government.

“We’re harnessing the power of technology to deliver better, safer care to people across the country – but at the same time it’s crucial we’re also bolstering the defences of our health and care services,” said Health Minister Lord Markham.

“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future,” said Lord Markham. “This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”

The government noted that the health and social care sector has made good progress in recent years, by using the increasing number of cyber defence and response tools it has at its disposal.

The sector is now much better protected from attacks than it was at the time of the WannaCry cyber attack in 2017, the government said.

It highlighted that NHS trusts now benefit from a direct link to NHS England’s Cyber Security Operations Centre (CSOC), providing real-time protection of any suspicious activity to approximately 1.7 million devices across the NHS network.

The government also said around 21 million malicious emails are also blocked every month.

Five steps

The government cyber vision for the NHS includes 5 key pillars to minimise the risk of cyber attacks and other cyber security issues. This includes:

  1. identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function.
  2. uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimising disruption.
  3. building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognised, and relevant cyber basics training is offered to the general workforce.
  4. embedding security into the framework of emerging technology to better protect it against cyber threat.
  5. supporting every health and care organisation to minimise the impact and recovery time of a cyber incident.

The government said a full implementation plan will be published in summer 2023 setting out detailed activities and defining metrics to build and measure resilience over the next 2 to 3 years.

Industry reaction

Rick Jones, CEO and co-founder, NCSC-approved cyber check company DigitalXRAID said it is crucial that the UK continues to dedicate time and resource to boosting the cybersecurity of the public sector and the NHS in particular, especially given previous cyberattacks and their long-lasting effects.

“Months on from the ransomware attack on NHS IT systems, disruption was still being reported,” said Jones. “The incident had a knock-on effect on the quality of care that NHS trusts could offer; patient notes became paper files and patient lists were unavailable, leading to missed appointments.”

“One of the biggest risks for healthcare, that we hope to see a focus on in this new government cyber strategy, is IT supply chain attacks,” said Jones. “Cybercriminals have learned that leveraging back-door entry through less resourced companies in a supply chain is an effective way to exploit small businesses and gain access to larger ones – in this case, one of the largest public sector bodies in the UK.”

“To mitigate this risk, organisations should at minimum contractually agree data breach liability with third parties,” said Jones. “On top of this, regular cybersecurity awareness training alongside the implementation a Zero Trust architecture will also reduce risk and halt lateral movement of attackers inside a network. A Security Operations Centre (SOC) to monitor, detect and mitigate threats is also increasingly essential in today’s threat landscape.”

Promising move

Another cyber expert, Stephen Oliver, general manager North EMEA at cyber specialist Gigamon, welcomed the government’s announcement.

“It’s promising to see government take action and set out a strategy to boost cyber resilience in the NHS,” said Oliver. “We’re already seeing a number of industries and regions bolstering their regulatory approach to cybersecurity – with DORA for EU Financial Services, and the latest Whitehouse Cyber Strategy in the US – so it’s critical we seek to protect the UK public sector and healthcare bodies.”

“As the healthcare sector has continued its much-needed digital transformation over recent years, complexity has increased alongside,” Oliver added. “Many legacy systems are still in place, with new technologies and cloud infrastructure being integrated, yet tools designed for on-premises simply lack the insight critical for virtual environments. This leads to greater opportunities for cybercriminals to launch an attack.”

“However, with budgets already overstretched in a challenging economic climate, the good news is that healthcare organisations are unlikely to need a complete overhaul of current IT infrastructure,” noted Oliver. “Instead, they need to optimise what’s in place and ensure they have a ‘single pane of glass’ view powered by deep observability into all moving data across their entire IT infrastructure. This then eradicates blind spots and reduces the opportunity for hackers to exploit weak points un-detected.”