Cheshire and Merseyside Health and Care Partnership has taken part in the NHS’s first pro-active planning event around a possible cyber security breach.
It comes following a series of threats and the WannaCry attack, which took down a number of NHS systems across the UK.
Here they explain how they were put through their paces by Gemserv.
It’s 8am, and IT’s in for a tough day…
Cheshire and Merseyside Health and Care Partnership wanted to find out how well it would stand up to a cyber-attack. So, it asked Gemserv Health to put together a scenario-based response exercise that started with some seriously bad news – but uncovered a lot of useful information.
It’s 8am and it was a nice day until you turned on the radio. The news has just started, and the lead story is that a video has been released showing a group of NHS leaders making worrying remarks about a Covid-19 vaccine.
They seem to be suggesting that safety issues are being covered up, and the share price of the vaccine maker has crashed 10% overnight. The phone starts ringing. It’s a press officer wanting to know what IT is going to do about this leak, or fake, or whatever it is…
Cyber-attacks spread, fast
This is the scenario that greeted 22 heads of IT in Cheshire and Merseyside in Spring 2021. It was constructed by Gemserv Health with input from Cheshire and Merseyside Health and Care Partnership to find out how the integrated care system would respond to a cyber-security incident.
Paul Charnley, Digital Lead for the ICS explained that the commissioners, councils, hospitals and other providers in the area have their own policies and procedures in place. But the ICS didn’t have an overarching response that was tested and ready to use:
“NHS Digital has a data protection toolkit that requires every organisation to plan for and rehearse its response to a cyber-attack, but one of the things that we learned from WannaCry is that a cyber-incident can impact a large geography very quickly,” he says. “We need to be able to coordinate.
“The exercise that we ran really brought that to life. It was very salutary and very helpful, and it has given us a lot to think about. We have learned a lot since WannaCry, but we are in an arms race with the hackers and we’ve still got more to do.”
Learning from WannaCry
WannaCry was the worldwide ransomware attack launched in May 2017. It didn’t target the NHS, but the National Audit Office estimated that 34% of trusts in England were impacted anyway.
One reason was that the NHS employs a lot of people; with 1.3 million staff, it had a lot of malicious emails to contend with. Another was that WannaCry spread through older, unpatched Windows systems; and the NHS had a lot of those in computers and medical devices.
However, a third problem was that there was no coordinated fight-back. The NAO reported that the Department of Health had been working on a plan, but it hadn’t been tested at a local level, so “it was not immediately clear who should lead the response and there were problems with communications.”
Some trusts couldn’t be reached by email “because they had been infected by WannaCry or had shut down their email systems as a precaution”, leaving a mix of switchboards, mobiles and WhatsApp as the only way through.
Only as strong as the weakest link
“After WannaCry, we swore that we would work more closely together, under the tagline: ‘we are only as strong as our weakest link’,” added Charnley.
The 22 heads of IT in the area agreed to standardise their policies and procedures, and to pool any funds made available by the NHS, to make the money go further. Cheshire and Merseyside HCP is now working with NHS Digital on a target cyber-security architecture and on a procurements process to deliver the strategy.
This has enabled individual organisations to work to a standard on one of two security information and event management systems: one medical device protection product; and one single sign-on product to give staff secure access to clinical and administrative systems.
“We have worked on our strategy and then we have moved to manage our supplier market and our procurement teams to buy in harmony with that,” continued Charnley.
“Gemserv has supported both the policy and the business models.”
Finding the gaps
Cheshire and Merseyside HCP is better protected against a cyber-attack than it was five-years ago; but the mantra of cyber-security is not to ask “if” a cyber-incident is possible but “when” one will occur.
The scenario-based exercise was designed to find out how ready the ICS is to deal with an attack; and whether IT leaders across the patch are clear about who will lead the response and how they should communicate with each other.
Before Covid-19 arrived, the ICS had been looking to run a physical event, but because of the pandemic it moved to Microsoft Teams. Five virtual break-out rooms were set up for organisational teams to use, and the scenario was fed to them.
As the event went on, the teams also received ‘injects’ of information to take the scenario in a different direction and test their ongoing responses. They got some ‘good’ news: the video didn’t feature local executives and was instead a ‘deepfake’. They also received some ‘bad’ news: one of the executives who had been deep-faked had also been spear phished. His email and that of his contacts had been targeted. A route was open for a ransomware attack.
Not if, but when
Charnley said that on the day of the cyber scenario event, years of hard work in Cheshire and Merseyside paid off. IT teams were able to mount a more coordinated and coherent response to the Gemserv scenario than they were to WannaCry.
They also had better tools to use. However, the exercise showed there were gaps to fill. The area turned out to be short of some specific cyber-security expertise out of hours. There were still questions about how decisions would be made that were big enough to require sign-off from Government departments in London or the NHS’s central bodies in Leeds.
It emerged that health and local authority incident response planners needed a cyber playbook to put alongside the playbooks they have for dealing with train wrecks, chemical spills or even nuclear incidents. Gemserv Health is now helping to write one, and when it is ready, Charnley wants to test it by running the exercise again.
“Gemserv told us that the military builds things and then attacks them,” he said.
“It costs millions of pounds. We don’t have that kind of money, but we can learn a lot this way. I want to do this every six-months – certainly every year – and I think every ICS should be planning to do the same.
“I’d definitely encourage others to follow this model and this approach. We wanted to work with an external partner because it’s easy to be insular or to play to your strengths in these exercises. Having an external view was very helpful. It gave us a lot of things to think about.”
Staying on top of the game
Prior to the event, Gemserv used its expertise in working across many different public sector and private organisations to create a policy and process document for Cheshire and Merseyside HCP to adopt. It liaised with the ICS’s leaders and NHS Digital to develop a bespoke and realistic multi-pronged scenario.
“This was the first time a cyber-breach and response scenario of this kind has been done at ICS level in the NHS,” stated Andy Green, Gemserv’s Chief Information Security Officer. “We went from looking at a damage limitation perspective to a malicious insider to a full-blown cyber-attack.”
NHS colleagues from other ICSs around the country also took part, to consider their own emergency preparedness procedures.
“It’s a continual challenge to stay abreast of what’s happening and it’s an asymmetric problem, unfortunately,” added Green. “Unfortunately, the attackers only need to be successful one time in 100, whereas the defenders need to be on their game 100 times out of 100, so it’s an unequal game of cat and mouse.”