With cyber attacks constituting a risk to clinical care, a recent HSJ webinar in association with Sophos argued cybersecurity should be the business of everyone in the NHS. Claire Read reports
When Saif Abed moved from a clinical career into one focused on healthcare digitisation, his initial intention was to explore how digital might improve provision of care. But he soon realised that necessitated consideration of what has since become his specialist area: cybersecurity.
In association with
“Clinical risk and clinical governance has existed for as long as healthcare has been a structured discipline,” points out Dr Abed, director of cybersecurity advisory services at The AbedGraham Group.
“What just happened to materialise from that is we started seeing the data breaches in the US in terms of data being stolen from, in particular, insurance companies. And this thing called ransomware started to emerge on the horizon so I just thought: ‘Well, let me just think, if I was a junior doctor, if I can’t access my top five systems what would happen to my day-to-day activities?’”
The answer, as the 2017 WannaCry attack proved, is serious disruption. It affected more than 80 trusts as well as eight percent of GP practices. “We saw in WannaCry that there were lots of delayed appointments, surgeries, transfers from A&E to other hospitals,” says Saira Ghafur, lead for digital health at the Institute of Global Health Innovation.
“When you can look deeper into it, when you can’t see blood results, if you can’t see scan results, or you can’t see them in real time, if you can’t log in to an electronic health record, if you don’t have the patient’s medication list, that is a delay to patient care. We know what causes patient harm and that [delay] is, in effect, a patient safety issue.”
It means that Drs Abed and Ghafur both argue cybersecurity should now been seen as an urgent patient safety concern. The question that flows from that – and which was at the centre of a recent HSJ webinar supported by Sophos – is what that means for how NHS organisations should tackle the issue.
For Dr Ghafur, it can be summed up in a few words. “Everyone [in healthcare] needs to know that cybersecurity is everybody’s business,” she said.
Effectively sharing that message within an organisation may, however, involve avoiding the ‘c’ word.
“I think the use of the word ‘cybersecurity’ is inherently problematic,” said Dr Abed.
“I deal with executive leadership from a geopolitical level all the way down to a local organisation one. If you walk in and say: ‘I want to talk about cybersecurity,’ they say: ‘Go talk to IT.’ But if you talk about business risk, clinical impact, clinical services, then you are winning at that point [in helping people understand why cybersecurity is relevant].”
It was a point echoed and reinforced by Jonathan Lee, director of public service at Sophos. He reported that cybersecurity products and services can often be viewed as something to be invested in grudgingly “because it’s not seen as a frontline thing”. “When in actual fact, without it, you can’t have frontline care in an effective way in a digitised environment,” he said.
And while board understanding of this is crucial, maintaining security is a matter of involving staff at all levels. That includes clinicians, an area on which Douglas Hamandishe is particularly focused.
Not just an IT issue
Mr Hamindishe, a chief clinical information officer, has a background as a mental health nurse, and is the Royal College of Nursing expert representative for IT and digital development. And he feels strongly that engagement of clinical staff in cybersecurity issues is key.
“Reach out and engage your workforce,” he urged healthcare leaders. “Establish where they are in understanding what cybersecurity is. Do some debunking exercises, do some workshops, do whatever it takes to engage your workforce. Don’t sit in ivory towers and drip feed information; you need to get your hands dirty, get down and dirty with your clinical teams and your social care teams.”
With levels of digital maturity varying between NHS organisations, it is likely that some board members will feel better equipped than others to lead on this agenda. That means that, when asked to give practical advice to boards on how best to lead on this issue, Dr Abed offered a very practical suggestion.
“If a board is serious about being held accountable and addressing cybersecurity or risk management as their strategy they should appoint a non-executive director who’s a senior risk and security expert,” he argued.
“Because that person will be there to hold them to account on that subject and it will be minuted and it will be documented and it’ll become real, at that point, having someone holding you to account who is on your side, actually.”
No matter how leaders choose to address the cybersecurity agenda, what was clear from the webinar is that it is one that must be addressed if patient safety is to be maintained.
“The more we are relying on digital to deliver healthcare, [the more] we need to make sure that we have cybersecurity as a key part of maintaining the resilience in healthcare to ensure that we’re not causing any patient harm,” said Dr Ghafur.
“From c suite level down to frontline clinicians, everyone who’s using any form of digital technology in a hospital or in a primary care or social care setting needs to recognise the risk that’s involved. Everybody needs to recognise that this is everyone’s problem and not just an IT issue.
“Cybersecurity is not the coolest thing to talk about. But we need to have this front and centre.”
An on demand version of this webinar is available.
If you had already registered for the event, visit here.
For those who have yet to register, visit here and scroll to the foot of the page to complete the form. Details of how to access the on demand recording will then be sent to you via email.