NHS CIO discusses revamped security two years on from Wannacry

Will Smart discusses the refreshed NHS cyber strategy which will apply across the organisation, as ransomware refuses to disappear

The NHS will be releasing a new cyber security strategy which will apply across the organisation, its CIO Will Smart has told Computing.

Smart introduced a cyber security review following the Wannacry ransomware attacks in May 2017, which took down large parts of the NHS. The subsequent National Audit Office investigation pointed the finger of blame at NHS organisations for failing to keep their Windows 7 PCs patched up-to-date.

That resulted in a set of national standards and targets around cyber security for the NHS being developed, a strategy that is now being refreshed.

"We're currently working on a refreshed cyber standard that will apply a cyber strategy across the whole of the NHS," said Smart.
This will be a national strategy, due to be released at the end of 2019, Smart indicated.

"Work is going on, but we have NCSC [National Cyber Security Council] and other stakeholders engaged in it."

Part of the work is to identify the appropriate standards for the industry.

"One of the challenges in healthcare, and one area we definitely will address is: what are the right standards to be mandating on cybersecurity and health? Because healthcare is quite a different environment to manufacturing, leisure, travel or whatever."

And the new strategy will be based on what Smart sees as a more mature NHS, in terms of its cyber security.

"Some time ago we bought windows 10 and threat protection for instance, to enhance security at a device level. So there's now a set of national capabilities and services that NHS Digital is providing in tandem with its Security Operations Centre. So we've got a great deal more visibility, in some cases, down to an individual device level of what's happening from a cyber perspective within an organisation.

"So I think we've matured a great deal over the last couple of years since Wannacry. And we're also interested in the support and encouragement of local organisations. I strongly believe in the importance of local organisational leadership around cyber security, and the requirement for the Chief Executive to be really engaged around the cyber agenda."

Smart has also overseen a system of assessing NHS organisations to ascertain their level of cyber readiness.

"We have done Individual assessments of organisations, and now have a view to who are the most mature organisations, and who are the least mature. And we have a set of interventions which are available to be taken alongside local organisations with board training, through to deep technical support.

"And we continue to keep a close watch on what's happening. Because I might say to the Public Accounts Committee it's a matter of when not if we have the next cyber-attack, so we need to continually be having the conversation about what the threat landscape looks like, as well as assessing readiness and response capabilities within local organisations."

Are you in the IT Leaders 250? Find out who made it into 2019's definitive list of the top CIOs in the UK