NHS Improvement debates cybersecurity responsibilities

NHS Improvement is considering its responsibilities as a cybersecurity regulator, according to its latest board papers.

Following the huge impact of the ransomware cyber-attack on the NHS earlier this month, the national body debated its role in protecting trusts.

“The role of NHS Improvement as a regulator was considered alongside the role of NHS provider boards and leadership teams”, as stated in NHS Improvement’s board papers

The committee met on 15 May, three days after the cyber-attack that crippled parts of the NHS with some trusts still affected two weeks on.

The papers also added that the committee considered cybersecurity needed to be “explicitly included under the ‘Well Led’ heading of the Single Oversight Framework for providers”.

The Single Oversight Framework is designed to help NHS providers attain, and maintain, Care Quality Commission (CQC) ratings of ‘Good’ or ‘Outstanding’.

An initial study, published in the BMJ, found that trusts that have been in special measures were three times more likely to be hit by the recent NHS cyber-attack.

Written by Amitava Banerjee, senior lecturer and honorary consultant cardiologist at University College London, he told Digital Health News that:

“Coming out of special measures is a longer process than we think, or that in order to come out of special measures you might have to, whether its cut costs or do things that do not encourage digital security.”

In July 2016, the CQC reviewed data security across the NHS in ‘Safe Data, Safe Care’ with a recommendation to amend its assessment framework and inspection approach to ensure data security standards are being met.

In December last year, Peter Sinden was appointed as a new joint data chief at both NHS Improvement and the CQC.

In NHS Improvement’s meeting the “need for investment in the upgrading of software” was also discussed.

Questions were raised on the NHS’s lack of investment in IT in the immediate aftermath of the cyber-attack with the finger pointing at trusts not keeping up to date with patching.

Trusts with infrastructure issues include St George’s University Hospitals NHS Foundation Trust whose record keeping is an “extreme” risk according to its risk register, and Leeds Teaching Hospitals NHS Trust. The northern trust’s risk register says a sizeable chunk of a major teaching hospital’s critical IT systems are at significant risk of failing without warning.

The NHS Improvement committee also highlighted “the importance of regular training and education of staff”.

One of the worst hit trusts, Southport and Ormskirk Hospital NHS Trust, had said prior to the attack that there were issues with awareness among staff of cyber-attack issues.

At Leeds Teaching a recent fake phishing email had fooled 400 staff members into handing over confidential details.

Other issues considered at the meeting included the link between computers and medical devices and the importance of patches.

A ‘Task and Finish Group’ will be created with members to NHS Improvement, NHS England and NHS Digital to work on cyber-security.

NHS Improvement declined to comment further on the story.