HSCIC Cyber Security Presented by: Richard Ives - Stakeholder Engagement Manager IGA Conference - 16 Mar 2016

What is Cyber Security? “Refers to the management and application of Information Security standards. Applies to computers, computer networks, and the data stored and transmitted. Also covers physical and personnel security” Actually, its what we’ve always done - must do more of and must do better - it’s a brand 2

Cyber Threat in Health is Growing 3 Data security Incidents by Sector Health sector data security incidents over time Source Information Commissioners Office (ICO) In Q2 2015/16 Data Security Incidents are highest in the health sector compared to other sectors The trend is rising in respect of data security incidents in health

The Actors of Cyber Threat The current analysis of threat to health from the security services: State sponsored - possible - but not a main threat vector Terrorists - conceivable - to be disruptive ‘Bedroom hackers’ - probable - though more interested in defence/security/finance systems Criminals - very likely - to capture financial transaction information and for ID theft Staff - likely - 2.1m in Health & Care: –insider threat - malicious or accidental 4

In the Last 3 Months… 5 Hospital X: Infiltration onto local network; infiltrating 60+ internal servers (some clinical), used as a mail relay and over 2m SPAM s sent from hospital servers. Bedroom Hacker Govt Body Y: Insider, an employee was socially engineered by a journalist to release pseudonymised information on hospital statistics that due to their format could have been re-ID’d. Insider Threat Hospital Z: Malware attack, affecting 100 XP machines and multiple servers. Due to issues caused by data integrity fears, path results disrupted and discharge affected (bed blocking). Criminality

Cyber Security Defence in Depth 6 People Technology Process Correct Security Clearances, Education, Training, Understanding Personal Responsibility and building a security culture Access Controls/Passes, Network Technology, System Access, Patching and Encryption Adherence to robust business processes, defined security policies, incident management process

Enabling not Dictating from the Centre The centre - DH/HSCIC/NHS-E - understands care is delivered locally, as such our role is to enable local organisations to deliver safe and secure processing and use of digital information without dictating. We enable through defence in defence: People: providing training, support and guidance; Process: best practice, trusted advice and remediation; Technology: CareCERT, helping you stay ahead of the threat. 7

People and Process People: Accredited Cyber Knowledge - eg, HCISPP and Creation of Cyber Champions National Cyber Security e-Learning Platform - plus support materials for our staff Process: Launch of the CareCERT Information Sharing Portal Publication of best practice guidance Support to remediate and advise on cyber attacks 8

Technology Implementation of the CareCERT Service: Focusing on providing cyber security intelligence and advice to the health and social care system including mitigation and remediation advice –Contacts are now in place of 93% of all in scope (GPs, CCGs, CSUs including Hubs, NHS Trusts, Local Authorities, Pharmacies via aggregators and Arm Length Bodies) System-wide cyber security incident management - if and when the worst happens Enables a coordinated approach to be taken across health and social care Real Time local threat information at organisation level to inform local organisations of what is happening and what to do 9

CareCERT - What it does 10 BT ATI H&C CERT-UK Gov-CERT N3 Data ALBs DATA, DATA, DATA, DATA, DATA, DATA, DATA, DATA, DATA, DATA, DATA, DATA, 2. Data Analysis by CCERT Team High Risk Medium Risk Low Risk 1. Data is received into CareCERT from Various Sources 3. If a threat could affect H&C, it is triaged for severity Impact Likelihood 4. Broadcast Issued (Type dependent on Severity)

Technology - CareCERT - Broadcast Health and Care Threat Advisories with Remediation sent via appropriate channels … keeping the system ahead of the game … 11 High Severity - Emergency Broadcast Medium Severity - Weekly Broadcast Low Severity - Info Sharing Portal (Feb)

CareCERT - Remediation The importance of the threat advisories are to ensure patient information remains safe and secure - closing vulnerabilities and being proactive before a threat becomes an incident 12 Information Remediation Patient Info Safe & Secure

Future Enablement Our job at the centre is not done and we need to do more: CareCERT+ - opt in service giving first line cyber incident support and steps to take - trusted suppliers and remediation CareCERTified - independent evaluation of organisational cyber preparedness and actions to implement to improve - giving greater situational awareness to individual health and care organisations. 13

One More Thing … or Three Some final advice: Invest in your people - personal responsibility in cyber security is key - and management must make this happen Be part of CareCERT now - CareCERT+ and CareCERTified later this year - it’s free and it’s to help (we’re not a regulator we’re a support function) Don’t fall into the trap that Cyber Security doesn’t affect patient care or patient wellbeing - it does 14

Further Information CareCERT information: currently limited content Queries and CDB contact changes to: CiSP will be expanded from pilot in due course Although - we need to determine the role of this vis a vis the CareCERT Information Sharing Portal 15