THIS Cyber Security

A ransomware attack on London hospitals caused weeks of disruption, highlighting the growing cyber threat to NHS services. The Health Informatics Service (THIS) protects healthcare organisations with industry-leading security measures.

Stay ahead of cyber threats and learn how THIS can safeguard your data.

The impact of a cyber-attack on NHS services – how THIS can help protect your organisation

An appeal for O blood-type donors to sign up for transfusions had to be made nationwide when a ransomware attack affected several major London hospitals, illustrating the impact a cyber-attack can have on NHS services. Several hospitals could not carry out blood transfusions and had to cancel operations and tests after the attack on a pathology business working for the NHS by a group of Russian cyber criminals. It meant King's College Hospital, Guy's and St Thomas' (including the Royal Brompton and the Evelina London Children's Hospital) and primary care services had to declare a critical incident.

A ransomware attack is where hackers take control of IT systems to steal data and demand a payment from their victims to recover it. That particular attack happened in June 2024, but the impact was still being felt 14 weeks later. Figures compiled by NHS England showed that 11 acute outpatient appointments and two elective procedures had to be postponed because of the attack in the first week of September, taking the total number of postponements to over 10,000 for acute outpatient procedures and more than 1,700 for elective procedures.

The incident is a clear example of the potential damage and chaos that a cyber-attack can inflict on NHS services, putting the magnitude of NHS digital cyber security under the microscope.

healthcare-proffesional-working-to-improve-cyber-security

The top five cyber security threats to the NHS

Ransomware attacks such as the one that impacted the London hospitals is one of the five most common cyber security threats faced by the NHS.

The others are:

Malware attacks - various forms of insecure, intrusive, or hostile computer software, such as viruses, worms, and trojan horses, which are often spread using email.
Phishing scams – this is where an attacker sends a fraudulent message to trick a person into revealing sensitive information or deploying malware on the victim’s computer It is one of the tricks that comes under the heading of social engineering mentioned below.
Data breaches – this is the release of personal data that has been accessed by hackers, or sometimes a data breach can happen accidentally.
Social engineering - a broad range of malicious activities accomplished through human interactions to trick users into making security mistakes or giving away sensitive information.

(Source: NHS England)

Are NHS cyber-attacks on the rise?

In an interview with journalist Tammy Lovell of Digital Health magazine, executive director of national cyber security operations at NHS England, Mike Fell, said evidence suggested cybercrimes against the NHS had actually plateaued.

He explained:

“Ultimately, there’s nearly £180bn flowing through the NHS in England to deliver public services, and that is attractive for cyber criminals.

“(But) I think we need to challenge some of the narrative against cybercrime being an ever-increasing threat. Actually, the evidence is that attacks have plateaued, if not are on a downward trend1 , particularly against the NHS.”

Despite that encouraging news from Mr Fell, who is well placed to comment after spending 15 years in government security roles before moving to the NHS in 2022, the disruption a cyber-attack can cause, as witnessed in London, is the dread of healthcare organisations across the UK.

^{1 _{In 2020, over 20% of incidents reported to NCSC related to healthcare https://www.ncsc.gov.uk/files/NCSC%20Annual%20Review%202021.pdf p.10 By 2023, healthcare was not even in the top five sectors reporting incidents into the NCSC https://www.ncsc.gov.uk/collection/annual-review-2023/threats-risks.}}

_{^{Information courtesy of Digital Health magazine.}}

healthcare-proffesional-showcasing-cyber-security-best-practise

Stay protected against NHS cyber-attacks with THIS

The Health Informatics Service (THIS) is at the vanguard of NHS cyber security standards. It provides protection for its host trust, the Calderdale and Huddersfield NHS Foundation Trust (CHFT) and its hospitals in Halifax and Huddersfield, alongside 59 clients across the healthcare sector.

THIS’ Cyber Security Team helps to protect approximately 15,000 devices used by 19,000 people working within CHFT and a spectrum of clients ranging from prison healthcare service providers to GPs’ surgeries. THIS is the only NHS informatics service to hold three ISO standards relating to cyber security and data protection:

ISO 27001 Information Security Management.
9001 Cyber Management
20000-1 Information Technology Service Management.

It is compliant with the NHS England Data Security and Protection Toolkit (DSPT) and its cyber security training is NHS England mandated. To put its capabilities into context, in one two-month period, THIS’ host trust was the target of 46,600 phishing emails and 34,600 spam emails that resulted in 1,658 malicious websites being blocked, and the thwarting of 1,432 malware attacks. How much protection a healthcare organisation requires depends on the amount and type of data it handles. Those dealing with patient data must have a particularly well-prepared NHS cyber security policy.

Paul Glover, of THIS’ Cyber Security Team, says:

"That while there is no ‘silver bullet’ that can protect an NHS trust or healthcare organisation from a cyber-attack, he recommends the National Cyber Security Centre (NCSC) 10 steps to cyber security as a good starting point."

It advocates:

Risk management – taking a risk-based approach to securing data and systems.
Engagement and training – collaboratively building security that works for the people in your organisation.
Asset management – knowing what data and systems your trust or organisation have and what purpose they support.
Vulnerability management – keeping systems protected throughout their lifespan.
Identity and access management – control who and what can access your systems and data.
Data security – protect data where it is vulnerable.
Logging and monitoring – designing systems that can detect and investigate incidents.
Supply chain security – collaborate with suppliers and partners. Security should be built in – not bolted on.

Paul Glover:

“The 10 steps are a good place to start building up a robust NHS security strategy. But if you then need to prove to your customers that you’re at that level of security maturity, you could look at acquiring Cyber Essentials².”

_{(²A UK certification scheme designed to show an organisation has a minimum level of cyber security protection, which is achieved and maintained through annual assessments.)}

THIS employee working on a computer being cyber safe

The five pillars of Cyber Essentials – which is backed by the UK government and the NCSC - are:

Firewalls – boundary firewalls and internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.
Secure configuration - failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
User access control - it is important to keep access to your data and services to a minimum. This should prevent a criminal hacker from being presented with open access to your information.
Malware protection - it is vital that you protect your business from malicious software, which will seek to access files on your system.
Patch management - criminal hackers exploit known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Paul Glover:

“If you then have the time and resource, you can strengthen further by looking at certifications like ISO/27001 Information Security Management."
“This is a good place to be, but it's also being aware that getting to that level of maturity doesn't mean your organisation is completely impenetrable from any kind of cyber-attack. It means you're in a situation where the impact of such an attack is likely to be less than it would’ve been if you'd done nothing.
“The other part of the equation is understanding that if, or when, you are attacked what is your response going to be? Are you prepared to think that far ahead? What does your incident response plan look like? And what does your business continuity plan look like? How are you going to keep running your organisation while it’s suffering from a cyber-attack?
“A lot of organisations think there is nothing to worry about because they’ve never been attacked before. It's that type of mentality that we need to overcome. There have been incidents in the past that have affected other NHS organisations but not us, and that has been due to the security posture we’ve had in place as part of our digital maturity.”

Keeping data safe – how THIS can support you

THIS has accreditation to provide training on all aspects of threat containment and secure email compliance through NHS England’s secure email standard DCB1596 certification that ensures sensitive and confidential information is kept secure.

Paul Glover, of THIS’ Cyber Security Team, says:

“Any e-mail that comes from outside the organisation typically contains a warning banner that appears at the top of the e-mail saying this is external, be cautious with malicious attachments and malicious links that you click on. We try to drill it into all staff that if you're not certain, alert our team and we can check it for you.
“To be registered as a secure e-mail provider between health and social care organisations you must have the DCB1596 certification from NHS Digital. It ensures that malicious attachments get blocked, there's anti malware and spam controls in place, and that the general well-being and security of the of the e-mail environment is up to a certain standard.
“We put customers through that accreditation. The threat landscape is evolving all the time and it’s important there is user awareness of staying abreast of changes and being aware of how you can keep your organisation safe.”

Microsoft Teams is the preferred communication platform for CHFT as it is UK-hosted, General Data Protection Regulation (GDPR) compliant, ISO/27001 compliant and provides integration with other trust software such as Outlook and ultimately Office 365.

THIS’ has put in place some mandatory procedures to ensure Personal Confidential Data (PCD) is kept secure. These include:

Minimising the use of PCD.
Implementing security measures for accessing Teams on personal devices.
Not extracting or storing PCD on non-Trust, personal or any other storage device.
Working from home guidelines.
Ensuring recorded Teams meetings comply with GDPR and Information Governance policy.

NHS cyber-attack back-up plan and incident response

Malware is evolving constantly. Paul Glover likens it to the different variants of Covid 19 during the pandemic and how symptoms changed with each mutation.

He says:

“What antivirus protection used to do was look at the traits of a malware attack, such as its name and location. But what the creators do now is to create it so that it changes every single time it infects a PC.
“We use next generation antivirus software that looks at the behaviours of the malware instead of looking at the signature. So, if there is strange behaviour it quarantines or isolates that device rather than focusing on the specific signatures and qualities of the of malicious piece of software. Modern antivirus firewalls, intrusion prevention systems, antivirus web security and email security help us to stay ahead of the game.”

Backing up data is an important step to keep it safe, as is having an incident response strategy to be as well prepared as possible should the worst occur.

Paul Glover:

“An organisation might have done all it can to protect itself, but once the malware has found a way past it and you are being attacked. How would you deal with it then?
“We plan for incident response by doing exercises and testing back-up and restore plans, making sure all the users are aware of what is necessary. Our clients can expect to receive extensive support and training on the matter. A client can take all the technology available, but if they don’t have the skillset or resources to manage it, then it creates a bigger problem in some ways.”

healthcare-professional-securing-their-mobile-from-cyber-threats

Recognising the threat and where it comes from…

A common perception of a cyber security attack is that of hackers breaking through firewalls to wreak havoc.

But sometimes the threat can come from close to home.

Paul Glover:

“You’d like to think it wouldn’t happen, but there is a threat that comes from inside an organisation. NHS staff have access to some critical information. Someone could sell data or leak it to the internet.
“But it could happen unwittingly. Social engineering is another big risk. Hackers can manipulate people to either gain access to information or manipulate an individual into doing things they wouldn’t normally do. So, that could be ringing up a GP site and pretending to be from IT support to gain access to the system, or to gain information. It could be an e-mail trying to steal credentials or trying to get the recipient to open a weaponized document.
“Staff can be the biggest weakness in an organisation because they don’t have the training on what to look out for, or to understand what the threats are. It could be as simple as spotting spam emails. If you receive an e-mail and don't know the sender, don’t click on any links. Don't open any attachments, it's that kind of mentality you need to adopt.”

Information Governance – what THIS can offer

All NHS trusts and healthcare organisations receive advice and alerts from the NCSC and NHS Digital’s Data Security Centre to keep clinical and patient data safe by flagging up when vulnerabilities have been detected. NHS mandatory training includes cyber security too. In addition, THIS’ award-winning Information Governance service – an enabling service to ensure data is handled safely and stored securely - provides consultancy, training and learning products to help its healthcare clients handle personal and corporate data legally, securely and efficiently.

THIS holds ISEB qualifications in data protection, information security, risk management and freedom of information. It can ensure compliance with UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 through its Data Protection Officer service. All services are externally certified to Information Security Management System standards ISO 27001, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. 

Here are some of the other key principles you need to be aware of to help keep data safe:

General Data Protection Regulations (GDPR) - the Data Protection Act contains a set of principles that organisations, government and businesses must adhere to in order to keep someone’s data accurate, safe, secure and lawful.

The principles ensure data is:

Only used in specifically stated ways.
Not stored for longer than necessary.
Used only in relevant ways.
Kept safe and secure.
Used only within the confines of the law.
Not transferred out of the European Economic Area.
Stored following people’s data protection rights.

Freedom of Information Act - provides public access to information held by public authorities, which includes the NHS. It does this in two ways:

Public authorities are obliged to publish certain information about their activities.
Members of the public are entitled to request information from public authorities, which includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

However, the Act does not give people access to their own personal data (information about themselves) such as their health records.

The Data Security and Protection Toolkit (DPST) - enables organisations to measure and publish their performance against the National Data Guardian's 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security, and that personal information is handled correctly.

Top cyber security tips for NHS staff

How cyber secure is your organisation? Here is a recap to help you to focus on how prepared you are, and where the threats could from.

What are your most important assets?
What protection do you have in place, how is it layered, and have you invested sufficiently?
Is cyber security training embedded in your organisation?
Do you have the right skills in place?
What types of threats do you face and where from?
How will you detect a cyber-attack and what procedures do you have in place to respond?
How current is your cyber security and how often is it updated?
Are you at risk via a third party?

The threat of hackers creating ever more sophisticated malware, social engineering and even a cyber security breach unwittingly created by a member of staff; the enormity of keeping data safe is plain to see.

Investing in long-term cyber security for the NHS

The ransomware attack we cited in the introduction to this insight resulted in months of disruption - valuable time that no NHS healthcare organisation can afford to lose. It illustrates the importance of being prepared and THIS can play a vital role in ensuring robust cyber security for NHS organisations.

The Cyber Security Team is part of THIS’ professional services division, which provides consultancy, training and learning products for the whole of the Information Governance arena. Its operatives reflect NHS values of professionalism, service and accessibility. They are there to explain options, provide solutions and serve diverse clients.

In addition to its core services, THIS offers bespoke solutions tailored to the needs of each customer. It can combine a number of services into a package and discuss other service solutions that your organisation may benefit from.

Cookie	Purpose	Stored	Type	Provider
DSID	Google: Security, Functionality, Advertising for AdSense, Campaign Manager, Google Ad Manager, Google Analytics, Display + Video 360, Search Ads 360	2 weeks	HTML	Google
test_cookie	Google: Functionality for AdSense, Campaign Manager, Google Ad Manager, Google Analytics, Display + Video 360, Search Ads 360	15 minutes	HTML	Google
IDE	Google: Advertising for Campaign Manager, Display + Video 360, Google Ad Manager, Google Analytics, Search Ads 360	24 months	HTML	Google
FPLC	Google: Analytics for Google Analytics	20 hours	HTML	Google
FPID	Google: Analytics for Google Analytics	2 years	HTML	Google
GA_OPT_OUT	Google: Functionality for Google Analytics	7 years	HTML	Google
__utma	Google: Analytics for Google Analytics	2 years	HTML	Google
__utmb	Google: Analytics for Google Analytics	30 minutes	HTML	Google
__utmc	Google: Analytics for Google Analytics	session	HTML	Google
__utmt	Google: Analytics for Google Analytics	10 minutes	HTML	Google
__utmz	Google: Analytics for Google Analytics	6 months	HTML	Google
__utmv	Google: Analytics for Google Analytics	2 years	HTML	Google
_ga	Used to identify unique users. Once set you will be identified as a returning user.	2 years	HTML	Google
_gat	Used to throttle request rate.	1 day	HTML	Google
_gat_--custom-name--	Google: Analytics for Google Analytics	1 minute	HTML	Google
_gid	Used to distinguish users. These cookies store other randomly generated ids and campaign information about the users movement throughout the site	1 day	HTML	Google
_ga_--container-id--	Persists session state.	2 years	HTML	Google
_dc_gtm_--property-id--	Used by DoubleClick (Google Tag Manager) to help identify the visitors by either age, gender or interests.	1 minute	HTML	Google
_gaexp	Google: Analytics for Google Analytics, Optimize	93 days	HTML	Google
_gaexp_rc	Google: Analytics for Google Analytics, Optimize	10 seconds	HTML	Google
_opt_awcid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_awmid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_awgid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_awkid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_utmc	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_gac_--property-id--	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.	3 months	HTML	Google
AMP_TOKEN	Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.	1 year	HTML	Google

Insights

The impact of a cyber-attack on NHS services – how THIS can help protect your organisation

The top five cyber security threats to the NHS

Are NHS cyber-attacks on the rise?

Stay protected against NHS cyber-attacks with THIS

Keeping data safe – how THIS can support you

NHS cyber-attack back-up plan and incident response

Recognising the threat and where it comes from…

Information Governance – what THIS can offer

Top cyber security tips for NHS staff

Investing in long-term cyber security for the NHS

Subscribe to Informatics Insights & Advice