NHS CyberSecurity lessons arising from the worldwide ransomware attack that occurred on the 14th of May is already prompting much debate for the NHS, much of which focuses on the failure of affected organisations to ensure adequate levels of investment on IT systems to mitigate the risk of this event.
The ransomware exploited a known issue with Windows XP, for which a patch had been issued earlier in the year. The biggest news headlines here in the UK concerned the impact this exploit had on the NHS, with a great many organisations appearing to have been caught out by the Windows XP vulnerability.
As is the case when the public sector suffers an adverse event, the call goes out for lessons to be learned, usually with an assumption that these are all new, but inevitably there will be those lessons that have already been learned, but just not put into practice.
Those that have been around NHS IT for a while will remember the last elected labour government’s implementation of the National Programme for IT (NPfIT) tasked to deliver a standard national NHS IT system. Regardless of what is thought about the success or failure of the programme, it did leave a lasting legacy long after it was cancelled.
Not least with those NHS organisations that had progressed to implementing NPfIT systems and solutions and in doing so, had tied themselves to technology standards defined by the program that could not be easily changed. In the commentary on following the ransomware event it has been highlighted that the legacy of NPfIT Windows XP implementations was the reason so many organisations were adversely affected.
In September 2011, the government announced the acceleration of the dismantling of the National Programme for IT*. Whilst at the time the impact of this decision was not significant, because NPfIT technology was still current and thus supported by providers, it should have perhaps been better recognised that this state was not sustainable in the long term. Especially for Windows XP, because the next version Windows 7 was already available (released Oct 2009) and being adopted across health in non NPfIT legacy environment.
Things finally came to a head for XP when Microsoft announced that it would be ending its patching and maintenance support for the platform in April 2014. Thankfully in acknowledging that there was still a dependency on this technology platform, the government took steps and signed an extra-ordinary deal with Microsoft** that secured continued support for XP across the UK public sector for another 12 months.
Critically, a condition of this agreement, was that any public sector body wishing to take advantage of this extended support arrangement, had to commit to development of a “robust plan” to move off Windows XP, Office 2003 and Exchange 2003 within the year.
Roll forward to 2015 and the next government decision on the matter was just as they had advised, that they would be closing down this extra-ordinary support arrangement ***, and is has to be said for good reason, on the basis that it was felt that continued central government funding of this deal was not consistent with the need to encourage organisations to urgently upgrade or migrate.
The question here however has to be, “was it reasonable to expect trusts to be able to find the funds for wholesale upgrade of unsupported operating systems in such a short time frame (this being equivalent to a single financial year)?
To further compound matters at the time, NHS organisations had been shielded from the full cost of wholesale systems upgrade throughout the time of NPfIT. A national licencing deal with major suppliers like Microsoft, removed the need for software costs to be met locally by NHS organisations ****.
It is accepted best practice that when a pre-existing programme or project is to be closed down, an impact assessment of the consequences should be undertaken. Not least so that the risk can be properly understood and adequate mitigations planned. If nothing else there is nearly always a financial consequence to closing programmes and projects and this is a very good example of one.
The NPfIT programme along with central licensing deals transformed the model of IT investment within the NHS for a decade. Switching these off and closing down the national deals the programme created was inevitably going to have consequences for participating organisations.
Some will argue that the implementation of the extra-ordinary support arrangements for legacy software was an act of risk mitigation. However, was it reasonable in 2014 to expect affected organisations to plan and implement an upgrade or migration of XP in a single financial year, without any additional financial support being provided?
The NHS had already been managing financial pressures for a good number of years before the decision to end XP support was taken. Certainly long enough for organisations to flag this to be a risk of significance, that without additional and extra-ordinary financial support, there was no way they were going to be able to take the steps needed to address the situation accordingly.
In summing up, it is clear that although the NPfIT national licencing deals themselves had been closed down some years earlier in 2010, the impact of this decision on local investment plans going forward, was never properly qualified or understood, and that further opportunities to address this in 2015 were missed and all the way up to 14th of May this year, 7 years on!
As an acknowledged risk, the XP issue should have been raised on the Information Governance (IG) Risk Register and flagged as a serious concern to the Senior Information Risk Owner (who by now and as a result of improvements to NHS IG standards) was a role assigned to a senior management representative on the board of the organisation.
Additionally, given the dependence on technology in meeting clinical outcomes, the risk should have also featured on the Clinical Risk Register, which would have flagged it up to the Chief Medical Officer, also a member of the board.
Just a cursory glance at most organisations annual reports and board papers will expose the fact that IT barely gets a mention, certainly any reviewer will be hard pressed to find any mention of XP specifically in the dealings of the boards in any one of the organisations affected, at any stage of the timeframe of this being an ongoing concern.
This therefore exposes a potentially bigger issue in that information technology investment and dependence is not a matter adequately represented at the board level, then or now.
This clearly is a matter of concern, given as the recent event exposed the criticality of the services dependence on the information technology in the performance of its primary function, delivery of treatment and care.
Frustratingly some of the commentary on the event included the phrase “IT is not the primary business of the NHS”, suggesting therefore it is not the NHS responsibility to ensure the reliability and safety of the tools it uses to deliver care, this is clearly nonsense.
It is perhaps partly this attitude that has excluded proper IT representation at the board level? Given the next stage of investment required and proposed by “paperless at the point of care” and “integrated digital health and care plans” and additional dependence on technology this will deliver, it is now time for IT to have a seat at the top table.
The NHS has an excellent online tool and system of guidance and assessment addressing information systems, security and good practice management standards (NHS Information Governance Toolkit). The tool is well established having been around and in use for more than 15 years with NHS organisations status reports openly published and available for review.
In April 2014 in a blog article entitled Patient Record Access – A Perspective 2 Years On I set out the more fundamental data protection and information governance challenges that the NHS needed to address to maximise the benefits potential of digital engagement. Not long after the original 2015 target for achieving patient record access was deferred to 2018 and linked to the “paperless at point of care” requirement.
Then and still today, technology innovation is widely acknowledged and accepted to be the primary method by which transformation of current health and social care models, and opportunities to deliver service effectiveness improvements and efficiencies at a substantial scale (£20bn+) going forward is to be achieved.
NHS 2020 digital roadmaps across the country outline ambitious plans addressing technology integration and innovations requirements needed to achieving “paperless at the point of care” and “integrated digital health and care record”. The levels of investment are significant, but then so is the benefits potential. For the first time in the history of health and social care, the technology to support transformation to a more pro-active and well-being orientated model is possible.
Success however will be heavily dependent on the digital engagement of patients and their carer’s and how effectively this is achieved. In this respect information governance will be a key deliverable and factor in how much and how quickly the benefits of patient digital engagement are secured and maintained going forward. Patients will need ongoing assurance that digital engagement is safe, and that their right to privacy is being properly protected.
Of the 33 major NHS organisations (community and acute hospitals) identified to have been affected, all have reported a “satisfactory” rating in the information governance self-assessments completed in March this year, in particular for the following requirements:
|Information Security Assurance|
|14-301||A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed|
|14-307||An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy|
|14-309||Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service – specific measures are in place|
|14-310||Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error|
|14-311||Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code|
|14-313||Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely|
The recent CyberSecurity event serves to remind the NHS, that despite all the good work done in the development of the information security and governance standards and despite all the resources that have been provided to help organisations get good at this, there is so much more to be done, and this too is going to require additional investment at the local organisational level.
Links to Articles
By 2018 patients should have access to their medical records online. By 2020 this should have evolved into a digital patient engagement solution as health and social care achieves “paperless at the point of care” working practices. But is it just about engagement, or should we be preparing more for active participation and ownership of health concerns and issues.
Most concern I have had shared with me is that the NHS 2020 Digital proposals are still not making adequate plans to exploit the opportunity provided by Internet of Things (IoT), Wearables and Assisted Living technologies at the earliest.
The current focus is being given to resolving internal data integration / flow issues which do need resolving. Acknowledging that there are clinical and information governance concerns as well as care benefits needing to be addressed. But whilst these in the main deliver service quality and improved workflow for people already in the system. Their support for delivery of a transformed and more sustainable service delivery model is limited.
Transformation of the service delivery model and improvement in future sustainability of any significance for health and social care, is largely dependent on the digital patient engagement (or better – participation) and capabilities delivered by technology innovation incorporated to support pro-active participation. The opportunity and benefits potential is significant, when the service delivery model evolves from one that is largely re-active and after the fact, to an alternative and more sustainable pro-active and well-being orientated model.
These benefits are only going to be enhanced by any ability to integrate and exploit technology innovations and automation delivered by IoT, wearables, assisted living and health and care / well-being monitoring innovations and solutions. Adoption of these technologies will increase as they become more capable and with this increase the range of proactive information and data supporting opportunities for further cost saving interventions and / or preventions will also increase.
Consequently the long-term objective of any digital health and care engagement solution, should be about providing the means to help us to live well, and if we are unfortunate enough to have one or more long term chronic conditions or disability, to be empowered to manage our situation as much and as well as we can. It is never though just about us and individuals, we pretty much all care for or are cared by somebody else. So we should be able to gain access to others information too.
All of the above inevitably leads to an explosion of information becoming available, and of the most personal and sensitive kind! Consent, data ownership / management quickly become the most important considerations in any engagement solutions design that needs to be open to accommodate future technology innovations delivering on the pro-active health and well-being opportunity.
It is, however, widely acknowledged that local developments and deployments are not being guided by core common engagement and consent model or universal data flow / integration standards, of concern consequently, the progress to a better model of health and care continues to evolve with massive variations in capability delivered differently across regions.
Until the need for core common standards on data consent, governance and interoperability are fully addressed, then the participation of patients and citizens with the digital solutions will likely remain inhibited, subsequently the opportunity to achieve the £20b of universal benefits from a transformed service delivery model by 2020 will very likely remain an elusive and much less assured target that it could otherwise be.
Article produced in response to news item Health wearables firm Fitbit holds talks with NHS published by Digital Health
Cybathlon, the first Olympic Games for bionic athletes was hosted on 8 October 2016, in Kloten, Switzerland. This world premiere saw 74 international disabled athletes – kitted out with bionic prostheses and brain-computer interfaces – compete with each other at the specially created events. These modern-day cyborgs from 25 different countries competed in 59 different teams from all over the world.
The initiative was launched by Robert Riener, a professor of sensory-motor systems at ETHZ. “One of the goals of the cybathlon is to encourage researchers and developers to work on robotic technologies that can substantially improve daily life for people with disabilities.”
The unique competition for people with disabilities will continue!
The six disciplines from 2016; Brain-Computer Interface Race, FES Bike Race, Powered Arm Prosthesis Race, Powered Leg Prosthesis Race, Powered Exoskeleton Race, Powered Wheelchair Race, will remain in the Cybathlon 2020 programme. The tasks will continue to be relevant to everyday life, but will reflect advances in research. The main goal of the Cybathlon 2020 is to push the development of assistive devices for people with disabilities.
Due to the very successful Cybathlon event in 2016 and the feedback received, the Organising Committee plans an even bigger event, breaking it up into two days. There will also be an attractive secondary programme, wherein the visitors can try out the disciplines for themselves (hands-on demos) and understand the issues surrounding disability in a practical way.
Healthcare technologies that have potential to really shape the way medicine and healthcare is practiced and delivered is explored by Dr. Bertalan Mesko, PhD, The Medical Futurist, author, keynote speaker, geek doctor with PhD in genomics, science fiction fanatic who shares his thoughts on his favorite technologies in this video.
More from Dr Mesko can be found at https://www.youtube.com/user/medicalfuturist/featured
The Internet and digital technologies are transforming our world – in every walk of life and in every line of business. Europe must embrace the digital revolution and open up digital opportunities for people and businesses. How? By using the power of the EU’s Single Market. Today, the European Commission unveiled its detailed plans to create a Digital Single Market, thereby delivering on one of its top priorities.
At present, barriers online mean citizens miss out on goods and services: only 15% shop online from another EU country; Internet companies and start-ups cannot take full advantage of growth opportunities online: only 7% of SMEs sell cross-border (see Factsheet for more figures). Finally, businesses and governments are not fully benefitting from digital tools. The aim of the Digital Single Market is to tear down regulatory walls and finally move from 28 national markets to a single one. A fully functional Digital Single Market could contribute €415 billion per year to our economy and create hundreds of thousands of new jobs.
The Digital Single Market Strategy adopted today includes a set of targeted actions to be deliveredby the end of next year (see Annex). It is built on three pillars: (1) better access for consumers and businesses to digital goods and services across Europe; (2) creating the right conditions and a level playing field for digital networks and innovative services to flourish; (3) maximising the growth potential of the digital economy.
Commission President Jean-Claude Juncker said: “Today, we lay the groundwork for Europe’s digital future. I want to see pan-continental telecoms networks, digital services that cross borders and a wave of innovative European start-ups. I want to see every consumer getting the best deals and every business accessing the widest market – wherever they are in Europe. Exactly a year ago, I promised to make a fully Digital Single Market one of my top priorities. Today, we are making good on that promise. The 16 steps of our Digital Single Market Strategy will help make the Single Market fit for a digital age.”
Vice-President for the Digital Single Market Andrus Ansip said: “Our Strategy is an ambitious and necessary programme of initiatives that target areas where the EU can make a real difference. They prepare Europe to reap the benefits of a digital future. They will give people and companies the online freedoms to profit fully from Europe’s huge internal market. The initiatives are inter-linked and reinforce each other. They must be delivered quickly to better help to create jobs and growth. The Strategy is our starting point, not the finishing line.“
Commissioner for the Digital Economy and Society Günther H. Oettinger said: “Our economies and societies are going digital. Future prosperity will depend largely on how well we master this transition. Europe has strengths to build on, but also homework to do, in particular to make sure its industries adapt, and its citizens make full use of the potential of new digital services and goods. We have to prepare for a modern society and will table proposals balancing the interests of consumers and industry.”
The Digital Single Market Strategy sets out 16 key actions under 3 pillars which the Commission will deliver by the end of 2016:
The Commission will propose:
1. rules to make cross-border e-commerce easier. This includes harmonised EU rules on contracts and consumer protection when you buy online: whether it is physical goods like shoes or furniture; or digital content like e-books or apps. Consumers are set to benefit from a wider range of rights and offers, while businesses will more easily sell to other EU countries. This will boost confidence to shop and sell across borders (see Factsheet for facts & figures).
2. to enforce consumer rules more rapidly and consistently,by reviewing the Regulation on Consumer Protection Cooperation.
3. more efficient and affordable parcel delivery. Currently 62% of companies trying to sell online say that too-high parcel delivery costs are a barrier (see the newly released Eurobarometer on e-commerce).
4. to end unjustified geo-blocking – a discriminatory practice used for commercial reasons, when online sellers either deny consumers access to a website based on their location, or re-route them to a local store with different prices. Such blocking means that, for example, car rental customers in one particular Member State may end up paying more for an identical car rental in the same destination.
5. to identify potential competition concerns affecting European e-commerce markets. The Commission therefore launched today an antitrust competition inquiry into the e-commercesector in the European Union (press release).
6. a modern, more European copyright law: legislative proposals will follow before the end of 2015 to reduce the differences between national copyright regimes and allow for wider online access to works across the EU, including through further harmonisation measures. The aim is to improve people’s access to cultural content online – thereby nurturing cultural diversity – while opening new opportunities for creators and the content industry. In particular, the Commission wants to ensure that users who buy films, music or articles at home can also enjoy them while travelling across Europe. The Commission will also look at the role of online intermediaries in relation to copyright-protected work. It will step up enforcement against commercial-scale infringements of intellectual property rights.
7. a review of the Satellite and Cable Directive to assess if its scope needs to be enlarged to broadcasters’ online transmissions and to explore how to boost cross-border access to broadcasters’ services in Europe.
8. to reduce the administrative burden businesses face from different VAT regimes: so that sellers of physical goods to other countries also benefit from single electronic registration and payment; and with a common VAT threshold to help smaller start-ups selling online.
The Commission will:
9. present an ambitious overhaul of EU telecoms rules. This includes more effective spectrum coordination, and common EU-wide criteria for spectrum assignment at national level; creating incentives for investment in high-speed broadband; ensuring a level playing field for all market players, traditional and new; and creating an effective institutional framework.
10. review the audiovisual media framework to make it fit for the 21st century, focusing on the roles of the different market players in the promotion of European works (TV broadcasters, on-demand audiovisual service providers, etc.). It will as well look at how to adapt existing rules (the Audiovisual Media Services Directive) to new business models for content distribution.
11. comprehensively analyse the role of online platforms (search engines, social media, app stores, etc.) in the market. This will cover issues such as the non-transparency of search results and of pricing policies, how they use the information they acquire, relationships between platforms and suppliers and the promotion of their own services to the disadvantage of competitors – to the extent these are not already covered by competition law. It will also look into how to best tackle illegal content on the Internet.
12. reinforce trust and security in digital services, notably concerning the handling of personal data. Building on the new EU data protection rules, due to be adopted by the end of 2015, the Commission will review the e-Privacy Directive.
13. propose a partnership with the industry on cybersecurity in the area of technologies and solutions for online network security.
The Commission will:
14. propose a ‘European free flow of data initiative‘ topromote the free movement of data in the European Union. Sometimes new services are hampered by restrictions on where data is located or on data access – restrictions which often do not have anything to do with protecting personal data. This new initiative will tackle those restrictions and so encourage innovation. The Commission will also launch a European Cloud initiative covering certification of cloud services, the switching of cloud service providers and a “research cloud”.
15. define priorities for standards and interoperability in areas critical to the Digital Single Market, such as e-health, transport planning or energy (smart metering).
16. support an inclusive digital society where citizens have the right skills to seize the opportunities of the Internet and boost their chances of getting a job. A new e-government action plan will also connect business registers across Europe, ensure different national systems can work with each other, and ensure businesses and citizens only have to communicate their data once to public administrations, that means governments no longer making multiple requests for the same information when they can use the information they already have. This “only once” initiative will cut red tape and potentially save around €5 billion per year by 2017. The roll-out of e-procurement and interoperable e-signatures will be accelerated.
The Digital Single Market project team will deliver on these different actions by the end of 2016. With the backing of the European Parliament and the Council, the Digital Single Market should be completed as soon as possible.
For more information:
Jacob Kohnstamm – Chairman of the Executive Committee of the International Privacy Conference
Drudeisha Madhub – Chairwoman of the Mauritius Data Protection Office
The internet of things is here to stay. Ever more devices are connected to the internet and are able to communicate with each other, sometimes without the user being aware such communications take place. These devices can make our lives much easier. For example in healthcare, transportation and energy the connected devices can change the way we do things. The internet of things however, can also reveal intimate details about the doings and goings of their owners through the sensors they contain.
Self determination is an inalienable right for all human beings. Personal development should not be defined by what business and government know about you. The proliferation of the internet of things increases the risk that this will happen.
The assembled data protection and privacy commissioners have therefore discussed the possibilities of the internet of things and its consequences during the 36th International Privacy Conference held in Balaclava, Mauritius on 13 and 14 October 2014.
Four speakers representing both the private sector and academia presented the Commissioners with the positive changes the internet of things may bring to our daily lives as well as the risks. The speakers also took stock of what needs to be done in order to ensure the continued protection of our personal data as well as our private lives.
The subsequent discussion led to the following observations and conclusions:
Mauritius Declaration on the Internet of Things from the 36th International Conference of Data Protection and Privacy Commissioners
Have a digital project idea you would like help with, then check out our services available from eCulture Solutions