Editor’s Note: This article was published in Pharmaceutical Technology Europe’s May 2023 print issue.
OR WAIT null SECS
© 2024 MJH Life Sciences™ and Pharmaceutical Technology. All rights reserved.
A strategy on cyber resilience for health and social care organizations has been set out by the UK government.
On 22 March 2023, the government of the United Kingdom (UK) published its strategy to promote cyber resilience across health and social care by 2030. The Cyber Security Strategy for Health and Adult Social Care denotes that cyber security is a key aspect of improving patient care and the safety of frontline staff, designed to build trust and in turn, foster innovation (1).
Given that cyber security underwrites public trust in digital services and technologies, the new cyber strategy sets out a vision for reducing the cyber security risk to health and social care organizations across the Department of Health and Social Care (DHSC), National Health Service (NHS) organizations, local authorities, independent social care providers, and suppliers—which includes pharmaceutical manufacturers. The strategy aims to protect patient, service user, and staff data, as well as implement measures to ensure organizations can recover quickly from cyber-attacks when they do occur.
Editor’s Note: This article was published in Pharmaceutical Technology Europe’s May 2023 print issue.
As contained in the government’s policy document, the strategy includes the following five key pillars:
The pillars and this strategy’s implementation plan are underpinned by the Cyber Assessment Framework (CAF) (3), which is the National Cyber Security Centre’s (NCSC) standard, designed for organizations responsible for vitally important services and activities.
In an increasingly digitized health and social care system, technology is transforming how people access health and care services, as well as information. In primary care, technology includes patient booking systems, call and recall facilities, and electronic prescription services. In secondary care, technology includes diagnostic machines such as imaging scanners, and electronic systems that inform hospitals of the number of free beds available. For adult social care organizations, it is technologies such as digital care records and acoustic monitoring systems that facilitate more integrated care.
The DHSC estimates that, in England, there are approximately 950,000 general practice appointments conducted daily, 45,000 major accident and emergency (A&E) department attendances, and 137,000 imaging events recorded (2). Furthermore, it also estimated that more than 40 million people in the UK now have an NHS login, which helps them to book appointments, track referrals, and order medications online; while over 50% of social care providers use a digital social care record, that enables staff to share vital information about the people they care for (1).
While it is unlikely that a cyber incident would bring down all the hundreds or even thousands of separate systems that support direct care, interdependencies between systems imply that the UK government must account for at least some degree of cascading risk, since the scale of impact—both direct and indirect—from a cyber-attack on the health and social care sector has the potential to be far-reaching and large in nature.
The Department for Science, Innovation and Technology’s Cyber Resilience Policy defines cyber resilience as “the ability for organizations to prepare for, respond to and recover from cyber-attacks and security breaches … with cyber resilience the key to operational resilience and business continuity” (2).
The health and social care sector encounters cyber threats every day, which include phishing and other malicious emails, automated scanning for common software vulnerabilities, and attempted fraud (4). Of these, phishing and malware are recognized as low-sophistication ‘commodity attacks’ that are used by a wide range of cybercriminals. Data derived from NHS England’s Cyber Security Operations Centre (CSOC), which provides real-time protection against any suspicious activity to approximately 1.7 million devices across the NHS network, estimates that approximately 21 million malicious emails are blocked every month (1).
However, the most significant cyber threat the healthcare sector faces is ransomware, which is used in profit-seeking attacks, often staged by organized criminal groups or state actors (3). Such attacks can cause a complete loss of access to clinical and administrative information technology (IT) systems, resulting in significant disruption in day-to-day operations. This, together with the increasing proliferation and commercial availability of ‘ransomware as a service’, now implies that attacks are not just limited to sophisticated groups. According to the NCSC, ransomware attacks are increasingly seen to include data theft and extortion with a threat of data leaks (3). Furthermore, ransomware and other cybercrime have also become a significant threat to third-party suppliers (which includes pharmaceutical manufacturers), an attack on whom can cause as much, or more damage and disruption as an attack directly on a health or care organization (3). For example, in October 2020, Philadelphia-based company eResearchTechnology, which manufactures software used to develop COVID-19 vaccines and treatments was hit by a ransomware attack (5). Employees were locked out of systems and the attack had a knock-on effect that was felt by IQVIA, the research organization assisting UK pharmaceutical firm, AstraZeneca’s COVID vaccine trial, and US pharmaceutical major, Bristol Myers Squibb, which was involved in the development of a quick test for COVID-19 (5).
According to the UK government’s recently published policy paper outlining the new cyber security strategy, “all these threats pose risk not just to patient and staff safety, but also to public trust in a health and social care system that can and must safeguard people’s data” (2). It is therefore vital that the sector continues to adapt and improve its cyber resilience against these evolving threats and retain the confidence of the public.
The strategy also identifies several other challenges, including:
Later this year, a full implementation plan will be published setting out activities and defining metrics to build and measure resilience over the next two to three years. National cyber security teams will work closely with local and regional health and care organizations to achieve the visions and aims of the strategy. The work will include enhancement of the capabilities of NHS England’s CSOC; publication of a comprehensive and data-led landscape review of cyber security in adult social care; and an update to the Data Security and Protection Toolkit to empower organizations to own their cyber risk.
1. DHSC. Government Sets Out Strategy to Protect NHS from Cyber Attacks. Gov.uk, Press Release, 22 March 2023.
2. DHSC. A Cyber Resilient Health and Adult Social Care System in England: Cyber Security Strategy to 2030. Gov.uk, Policy Paper, 22 Mar. 2023.
3. NCSC. NCSC CAF Guidance. Published 30 Sep. 2019. Reviewed 11 April 2022. Version 3.1.
4. Ghafur, S.; Fontana, G.; Martin, G.; et al. Improving Cyber Security in the NHS. Institute of Global Health Innovation. Imperial College London, 2019.
5. Tambe, D. Major HNS Supplier hit by Ransomware Attack. Confidence IT, Blog Post. 17 Aug. 2022.
Bianca Piachaud-Moustakis is lead writer at Pharmavision, Pharmavision.co.uk.
Pharmaceutical Technology Europe
Vol. 35, No. 5
May 2023
Pages: 7–8
When referring to this article, please cite it as Piachaud-Moustakis, B. Protecting the NHS from Cyber Attacks. Pharmaceutical Technology Europe, 2023, 35 (5), 7–8.