The NHS remains a significant target for cyber criminals.  Hackers could be motivated to exploit sensitive patient data or demand money by holding organisations to ransom.  NHS networks could also be affected by indiscriminate cyber warfare attacks.  Case examples of high-profile cyber-attacks include Advanced, ‘WannaCry’,  ‘NotPetya’ and the 2021 Irish Health Service Executive attack.

Everyone in the NHS, including NHS service providers and everyone providing care to NHS patients should, therefore, play their part to ensure that the network is used correctly and equipped to withstand cyber attacks.  This must be in a way which minimises disruption to clinical care and, more importantly, minimises the impact on patients.

Most cyber security breaches can be prevented by simple steps, like making sure staff do not use weak or compromised passwords and checking software systems are updated automatically.

Organisations should have plans in place to detect and eliminate malware within their systems. These plans should include measures to minimise the impact of a security breach and to expedite the organisation’s response.  Organisations should adopt a ‘defence-in-depth’ approach, using multiple layers of defence with various mitigation techniques at each layer to detect malware and prevent it from causing significant harm.

The risks

Cyber-attacks in the UK are increasing with most industry experts thinking it is not a question of ‘if’ but ‘when’ the next large scale cyber-attack will occur.  All staff must, therefore, remain vigilant and take precautions to reduce this threat.

The 2017 WannaCry attack made clear the need for the NHS to improve cyber security to defend against a future attack.  The non-targeted cyber attack infected more than 230,000 computers within a day, in at least 150 countries.  This included infecting 595 NHS GP practices (8% of all surgeries) along with disruption in one-third of hospital trusts in England.  The virus disabled computer systems by encrypting the files and demanding a ransom be paid.  Even unaffected computers needed to be shut down to minimise the risk of them becoming infected.

The main vulnerability for the attack was having software which had not been updated, with affected devices having not installed a recent software patch to the then supported Microsoft Windows 7 operating system.   

Common cyber threats

Common cyber threats that may target NHS staff or patients include junk email or spam, which are irrelevant or unsolicited messages sent via email for the purposes of advertising, phishing, or spreading malware.  

Another threat is malware, which refers to various forms of insecure, intrusive, or hostile computer software, such as viruses, worms, and trojan horses, which are often spread using email.

• Phishing is where an attacker sends a fraudulent message to trick a person into revealing sensitive information or deploying malware on the victim’s computer.
• Smishing, is the act of using SMS text messaging to trick victims into a specific course of action, such as clicking on a malicious link or divulging information.
• Spoofing, which is when emails come with a forged sender address.

Using email safely

When receiving emails, it is important to be vigilant and cautious in order to protect against potential scams or phishing attempts.  One way to check the legitimacy of an email is to hover your mouse over any web addresses that the email is trying to get you to visit to make sure that they appear legitimate and never open any links from unknown senders.

A tactic used by spam emails is to request personal information, including bank account details or account passwords.  It is important to remember that you will never be asked to provide your login details to anyone, so any email requesting such information should be viewed with suspicion.  

Additionally, if an email seems too good to be true or uses any kind of urgency, such as asking you to ‘log in now’, this should raise suspicion of spam.  Other red flags include incorrect grammar and spelling, and suspicious attachments, which should never be opened from unknown sources or even from known sources who don’t usually send attachments.

It is important to check the sender address and ensure that it reflects the official agency or bank that the email claims to be from.  If you are in any way suspicious of the request, you should contact the sender by phone or other established channels to confirm the legitimacy of the sender and the request. It is also important to be cautious if your email address is being used as the ‘From’ address or if the ‘To’ field shows many recipients, particularly if they are unconnected.

Report an email that you suspect to be spam, or suspect may be an attempt to spoof or phish your account to the NHSmail helpdesk.  The options for reporting a suspicious email in the NHSmail support site article ‘Reporting cyber threats‘.

Always exercise extreme caution in replying all, or sending to multiple recipients, especially when the communication contains personal data, as this has resulted in many high profile data breaches.

Follow NHS Guidance for sending secure email (including to patients).

Staying secure online

Everyone should follow the National Cyber Security Centre (NCSC) guidance on staying secure online.

• To protect your email from cyber criminals, use a strong and unique password.
• Avoid reusing passwords as databases of compromised passwords exist. Using three random words is recommended as a way by the NCSC to create a difficult-to-crack password.
• Turn on multi-factor authentication for added security.
• Keep your software and apps updated with the latest security updates and enable automatic updates. Keep your security software patches up to date and run approved anti-virus software.  
• Only use approved software on devices and do not install unapproved plugins or browser extensions.
• Consider password protecting documents you send across the internet. Avoid using your work email address to register on non-work-related websites.

Report any cyber or data security incidents to the NHS Data Security Centre.

Bring your own device

Bring your own device (BYOD) is a local policy that allows staff to use their own personal devices, such as smartphones, tablets, or laptops, for work purposes and securely access the organisation’s systems, applications, and information.  While BYOD can provide greater flexibility, it is important to use caution to prevent the transfer of malware to the NHS network or to ensure the security of NHS data.

To properly implement BYOD, staff should:

• refer to the NHS BYOD guidance
• ensure that devices are maintained as stated in the ‘supported devices’ section
• ensure devices are encrypted
• get authorisation from the local IT department before using their devices

There are some specific security considerations such as using separate accounts on personal devices used for work, using biometric features to secure the device if possible, and reporting lost or stolen BYOD devices to IT as soon as possible.

Staff should not use devices that have had inbuilt security restrictions changed or removed (known as jailbreaking for iPhones and rooting for Android phones) as this circumvents security controls  and may modify the organisation’s BYOD software.  

Staff should also avoid connecting unapproved devices to the corporate network, even though these may be sometimes used on guest networks where available.

Working remotely

It is important to check that home working solutions being used are cyber secure and approved by the NHS.  The layers of network security are naturally reduced when working remotely, so follow the NHS guidance to ensure work remains effective and data remains secure.

• To protect yourself from malicious activity on public Wi-Fi hotspots in coffee shops, hotels, and airports, either work offline and connect later on a more secure network or connect to the internet via your mobile device if it can be configured to act as a hotspot.
• Always keep all your work devices with you when travelling, and never leave them unattended.
• Do not print documents and work on them in public spaces and do use a screen protector to prevent shoulder surfing if you are in public spaces or shared accommodation.
• Keep your work telephone conversations discreet and hold them in a private place if possible.
• Change the admin/default password on your home broadband router and ensure the firmware is up to date.
• Do not allow others, such as family members, to use your devices for personal use.
• Always lock your workstation when away from it and report any incidents as soon as you become aware of them.

Data Security and Protection Toolkit

All organisations that have access to NHS patient data and clinical systems, including all GP practices and other primary care organisations, must use the Data Security and Protection Toolkit (DSPT).  This replaces the NHS Information Governance toolkit as the key NHS data security standard.

The DSPT is an online self-assessment that must be completed annually by NHS organisations.  The detail depends on the category of organisation.  Its use is required under the Integrated Care Board-GP agreement.

There are many benefits of the DSPT. The DSPT is mapped against international standards, including the ISO27001 standard.  This is to make it easier for organisations that wish to undertake best practice to adhere to multiple regimes.

The DSPT also allows the NHS to monitor and target improvement in cybersecurity and aims to drive more cyber-conscious behaviours.  

The cost of maintaining data security is likely to be much less than the cost of cyber-attacks or data breaches.  

Summary of the data security standards (from the DPST)

Data Security Standard 1

All staff must ensure that personal confidential data is handled, stored, and transmitted securely, whether in electronic or paper form.  Personal confidential data is only shared for lawful and appropriate purposes. 

Data Security Standard 2

All staff understand their responsibilities under the data security standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.  Insecure behaviours are reported without fear of recrimination and procedures which prompt insecure workarounds are reported, with action taken.

Data Security Standard 3

All staff complete annual security training.

Data Security Standard 4

Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required.  The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see. 

Data Security Standard 5

Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.

Data Security Standard 6

Cyber-attacks against services are identified and resisted and NHS Data Security Centre advice is responded to.  Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.

Data Security Standard 7

A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.

Data Security Standard 8

No unsupported operating systems, software or internet browsers are used within the IT estate.

Data Security Standard 9

A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework.  This is reviewed at least annually. 

Data Security Standard 10

IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the data security standards.

Business continuity and disaster recovery

All NHS organisations must have business continuity plans in place so that they can maintain their services to the public and patients in the event of both large and small incidents.  This could be because of cyber-attack but also loss of services (electricity, heating, water, internet/HSCN, telecommunications), infection outbreaks, staff absence, fire and flood, and the more unlikely scenarios of chemical, nuclear, biological, and radiological attacks/accidents.  

Having business continuity plans in place is a crucial aspect of an organisation’s contractual arrangements as a provider of NHS funded care.  These plans should cover various scenarios such as alternative access to systems, operating without systems, moving the site and continuing care, prioritising care when only skeleton staff is available. 

It should also consider communication methods for different scenarios, backup options, lines of reporting and control, and the help that is available and how to access it.  

The Cyber Security Services Framework offers a complete range of external support services to help NHS and wider public sector organisations manage cyber risks and recover in the event of a cyber security incident. Through design, delivery, testing, governance and assurance, it enables service continuity in patient care by ensuring patient data is secured, and critical services and systems remain available.

Practices may choose to develop their own plans or reach out to their commissioners or local area teams, some of which may have developed template business continuity plans.

GPIT operating model

Under the terms of the GPIT operating model, practices have the following responsibilities for data and cyber security:

• appoint a named partner, board member, or senior employee to be responsible for data and cyber security in the practice
• fully co-operate with on-site cyber security assessments and act on the outcome, including implementing recommendations
• provide urgent out-of-hours contacts and communication routes, as well as access to premises, digital systems, and equipment outside normal working hours
• quickly establish if a personal data breach has occurred in the event of a cyber security incident and promptly report to relevant authorities and affected individuals
• maintain a business continuity plan that includes a response to data security threats
• provide assurance through the annual completion of the general practice Data Security and Protection Toolkit
• seek advice and guidance for developing the digital element of practice business continuity plans as needed
• obtain assurances from third parties that provide infrastructure and data processing services that they have robust disaster recovery plans
• ensure all practice staff complete annual NHS Data security awareness level 1 mandatory training

Integrated care boards/commissioning support units should provide the following support for practices in relation to cyber security:

• procure systems and services that meet cyber security standards
• provide practices with access to specialist advice, including cyber security management and oversight
• offer configuration support, audit, investigation, incident management, and routine monitoring
• implement protective technical and organisational measures to reduce the likelihood and impact of cyber security incidents
• manage high-severity cyber security incidents
• provide oversight for the management of low and medium-severity cyber incidents
• develop disaster recovery and business continuity plans for systems and infrastructure relevant to GP IT services and support practice business continuity plans
• ensure GP IT delivery partners have ISO27001 or meet the Cyber Essentials Plus standards
• provide necessary IT security/cyber evidence to support the requirements of DSPT
• conduct penetration testing to NCSC standards at least annually

What patients need to do

Patients should follow the advice of the NCSC on staying safe online.  

If patients disclose any cyber-attacks to NHS staff, such as phishing or smishing attacks by individuals impersonating the NHS, they should be encouraged to report these scams to the NCSC.

Staff should also report any threats to the NHS Data Security Centre by emailing cybersecurity@nhs.net.   

If patients have lost money or have been hacked as a result of responding to a phishing message, they should report it to the police. In England, Wales, or Northern Ireland, patients can visit www.actionfraud.police.uk or call 0300 123 2040.  In Scotland, they should report it to Police Scotland by calling 101.

Related GPG content

• NHSmail
• Information governance and data protection
• Smartcards and access control (RBAC)
• NHS Care Identity Service 2 (CIS2)
• Social media
• MS Teams and remote working
• Medical devices and digital tools

Other helpful resources

Videos

• NHS Digital, Keep IT confidential campaign | Short videos and cyber security campaign materials for NHS organisations

Websites

• NCSC guidance on how organisations can protect themselves from ransomware attacks

NHS Digital pages

• NHS Digital Cyber security services
• Data Security Centre
• NHS Secure Boundary
• Vulnerability Monitoring Service
• Bitsight – cyber security ratings service
• COVID-19 cyber security support
• Cyber Associates Network
• Phishing emails
• Protecting against cyber attacks
• Procuring and deploying connected medical devices
• Protecting medical devices
• Staying cyber secure while on holiday
• Buying cyber security services

Other

• The Medical Defence Union (MDU), Avoiding email dangers
• NHS Digital, deleting suspicious emails on Outlook web access or Outlook (Desktop version) Permanently deleting suspicious email (by-passing the deleted items folder)
• NHS Digital, guide about warning messages on your email account, Email warning messages
• NHS Digital, emails sent causing a nuisance and how to block them Nuisance emails and blocking senders
• NHS Digital, frequently asked questions for the security on NHSmail Cyber Security FAQ
• NHS Digital, how to report cyber threats from your NHSmail account Reporting Cyber Threats
• Care Quality Commission (CQC), Business continuity arrangements for emergencies and major incidents