Cyber-security within the NHS is in the spotlight presently, the focus readjusted following a warning from the Public Accounts Committee that the NHS still has a long way to go to prove itself cyber-secure. Luke Koupparis, medical editor of OnMedica, which is part of Wilmington Healthcare, explores how you can ensure your defences are up to the challenge of any future cyber-attacks
A recent Wilmington Healthcare survey of more than 500 doctors found that the majority of them fear the NHS is at risk of a repeat of the May 2017 WannaCry cyber-attack, which wreaked havoc on its IT systems. Their fears were echoed by the Public Accounts Committee (PAC) which recently warned that another attack is inevitable, and that the NHS and government still have a lot of work to do to improve cybersecurity.
WannaCry exploited a vulnerability in Microsoft. Although the company had released a patch to fix this in March 2017, many NHS organisations had not installed updates on their computers for some time, hence this security hole remained open.
The fault in the system
Most IT systems within GP practices are owned by the NHS and administered by the clinical commissioning group’s digital services department. In many places, security patches are also controlled centrally. Unfortunately, however, IT updates can be intrusive and they require the operator to confirm that they want to install them. They usually involve a restart too, which can be time-consuming.
To ensure staff understand the importance of installing IT updates and know how to use NHS IT systems safely, GP practices should issue clear guidelines and provide training for staff.
Best practice guidelines should include the following:
- Ensure staff understand the importance of installing required updates when requested. If possible, critical security installations should be done automatically, with practices being told to leave their machines on overnight at a designated time.
- Make staff aware of the risks posed by malicious software coming directly into practices, usually via external emails or rogue software, and create a ‘safe senders’ list to make it easier to sift communications.
- Use NHS.net email software for clinical emails. This provides a secure, end-to-end, platform which is approved for communication about patient sensitive information. It also provides the appropriate security features to scan attachments for dangerous software.
- Restrict the ability of staff to install applications, such as different browsers, productivity applications or even add-ons like Java. Although these may be safe, incorrect links could be used that install viruses or malicious ransomware.
- NHS laptops should be secured so that no personal software can be installed. This prevents users from inadvertently installing software that may gain entry to NHS infrastructure when connected.
- Prohibit access to websites unrelated to work to reduce the risk of accessing ones containing malicious information.
- Many IT departments allow read access to external devices but not write access since this could allow software to be written on to a computer and spread through the network. Any device that is plugged in should be automatically scanned for dangerous software or viruses.
- Clarify rules on the use of personal devices, such as smartphones, at work. This should include, for example, a ban on charging smartphones from local computers, since many smartphones are designed to load software when connected to a computer.
- If a computer gets infected staff should immediately switch it off, using the power button, and call the local IT helpdesk to help limit the spread of the infection, and alert the specialist teams to eradicate the problem.
- Staff need to know where to store files if their machine needs to be wiped. Most clinical software is now stored within the cloud and not on local machines, so this data remains safe. However, staff must have strong passwords and change them regularly.
- Accessing content and services online, receiving information or services via email and using digital tools and apps are all essential for the NHS. Ensuring that staff use NHS IT systems safely will enable them to maximise the enormous benefits that digital systems bring to healthcare while minimising the security risks.