The UK government has released a new strategy today in a bid to boost NHS cyber resilience. At least £15m will be devoted to cyber defences within adult social care, the role of NHS England’s cybersecurity operations centre will be enhanced and national training and support will be provided by 2025.
The NHS cyber strategy aims to shore up the resilience of the NHS in its entirety by 2030.
Health services around the world have become common targets for cybercriminals. The NHS was hit last summer when the 111 non-emergency phone line was crippled when one of its suppliers, Advanced, suffered a ransomware attack by the LockBit gang.
UK government releases cyber resilience strategy for the NHS
The strategy comprises five pillars that show where the focus will lie. It is expected to enhance the healthcare sector’s protection against cybercrime, paying particular attention to protecting the NHS against ransomware.
A detailed implementation plan will be released in the summer of 2023 in order to document the strategy’s progress, particularly for the next two to three years.
The risks that the NHS is currently facing are encompassed in the strategy, outlined as phishing, automated scanning for common software vulnerabilities and attempted fraud.
To protect against these risks in the short term, the DHSC has pledged at least £15m to improve the cybersecurity of adult social care. Measures to implement this will be defined in a future “comprehensive and data-led landscape review on the status of cybersecurity in adult social care, spending at least $15m over the next two years in response to that review,” the Department for Health and Social Care (DHSC) explains.
Funding will also be provided for “local cyber resilience with local training and support by 2025,” the report continues, as well as developing a framework to enhance and develop the NHS cybersecurity operations centre.
NHS cybersecurity strategy has five pillars
Long-term goals include making patients and service users safer with a heightened focus on five “pillars,” which will provide structure to the enhancement of the NHS’s cyber resilience.
The five pillars – focus on the greatest risks and harms, defend as one, people and culture, build secure for the future exemplary response and recovery – have detailed goals for 2030.
The five pillars will be supported by a national implementation plan which will “detail activities and define metrics to build and measure resilience over the next two to three years”. It will be released in the coming months.
Lord Nick Markham CBE, the parliamentary under-secretary of state in the DHSC, explained that the new strategy is crucial to ensuring the safety of patients in the NHS.
“We’re harnessing the power of technology to deliver better, safer care to people across the country – but at the same time it’s crucial we’re also bolstering the defences of our health and care services,” he said.
“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future. This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre,” the minister concluded.
Strategy ‘urgently needed’ as budgets are cut
At a time when NHS budgets are stretched like never before, the strategy was urgently needed, says Jonathan Bridges, chief innovation officer at cybersecurity vendor Exponential-e.
“It’s very difficult for the NHS to prioritise spend on new technology. That’s why its systems have become outdated and vulnerable in many cases, and the government’s new strategy to protect the NHS from attack is so urgently needed,” Bridges said.
“Budget is a big reason why current approaches are failing. Often it’s capital-based, and the public sector’s ability to increase operational budgets is challenging, but modern-day security services are considered operational. So given the cost of the average cyber specialist is increasing, and resources are in much shorter supply, it’s often very difficult for the NHS to fund the cyber protection it needs.”