Cybersecurity in the health sector

Stephen Jenkins


Our NHS clients are becoming more connected. With the advance of the internet of things, automation and communications, the threat of a cyber-attack on business critical systems is becoming more severe.

Data has become a currency, with personal data being exceptionally lucrative. New legislations are holding organisations to account for the security of personal data with powers to impose significant fines on organisations if found in breach. The opportunity, therefore, for an external or internal threat to carry out these attacks for either personal gain or to damage an organisations reputation has significantly increased.

Ciaran Martin, the Head of the National Cyber Security Centre, has warned:

I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack."

What’s happening and why?

The threat to the UK, its Critical National Infrastructure (CNI) and crowded spaces is increasing; the media is constantly reporting of physical, cyber-attacks and data breaches.

We have already seen a fairly simple cyber-attack have a huge impact on the NHS (WannaCry May 2017); this attack was not sophisticated but personified a cyber ‘virus’ as it spread uncontrollably across the NHS. Only the NHS trusts that had adhered to Government advice were unaffected.

On a NAO report on the NHS Wannacry incident Sir Amyas Morse, comptroller and auditor-general of the NAO, described it as:

A relatively unsophisticated attack which could have been prevented by following basic IT security best practice."

The NHS is part of our CNI; organisations within these sectors have a responsibility (which is enforced by the Centre for Protection of National Infrastructure (CPNI)) to ensure they have robust physical, cyber and data security policies, procedures and technical solutions in place to help prevent an attack.  Nothing is 100% secure but adding ‘layers’ of security and having robust systems in place that protect critical BAU systems and data is sacrosanct.

But it is not just to our CNI where the threat has increased; we have unfortunately seen a rise, globally, of attacks on public and crowded spaces. These attacks are often difficult to prevent so the layers of protection around the built environment are critical to be able to minimise and contain an attack.

New Legislation on cybersecurity

To help prevent another ‘Wannacry’ the UK Government has introduced new legislation – The Network and information Systems (NIS) Directive. The Directive became effective on the 10th May 2018.  This Directive does not affect all CNI assets; this may change in the future as the various CNI Sectors become more ‘aware’ of their cyber health.  The Directive does affect what the UK Government has highlighted as ‘Operators of Essential Services’ (OES).

These OESs have been broken down into either whole or part CNI Sectors and are:

  • Drinking Water - supply and distribution
  • Energy – Electricity, Oil and Gas
  • Health
  • Transport – Maritime, Air, Rail, Road
  • Digital Service Providers (DSP) – TLD Name registries, Domain Name Service providers, Internet Exchange Point operators.

Fundamentally there are four main objectives each OES must adhere to:

  • Objective 1 - Manage security risk
  • Objective 2 – Defending Systems against Cyber Attack
  • Objective 3 – Detecting Cyber Security Events
  • Objective 4 – Minimising the impact of Cyber Security Incidents

So what?

In May 2018, The Department of Health and Social Care (DHSC) released their guide for the NIS Directive for the Health Sector in England. DHSC is responsible for overseeing the operation for the NIS Directive within the Health Sector with NHS Digital responsible for the production of guidance for operators and technical support to the Department. Failure to adhere to the Directive may result in fines up to £17m.

The Lessons Learned review of the WannCry Ransomware Cyber-attack cited:

Our challenge is to ensure that the health and care system nationally, regionally and locally is equipped to withstand and respond to cyber-attacks in an effective manner"

Critical timelines

There are a number of critical timeframes that are to be adhered to, these are:

  • May 2018: NIS Directive comes into effect and OESs come into scope automatically
  • July 2018 (annually): Annual report of NIS incidents submitted for onward submission to the European Commission in August 2018
  • November 2018: Sector specific guidance published. The Department for Transport and the Department for Health and Social Care have already produced their sector specific guidance
  • November 2018 (biennially): Report detailing the number of OESs and the thresholds for identification submitted to the EU by the SPOC; and
  • May 2019: Annual review of the regulatory provisions of the NIS Regulations.
  • First year (May 18-19) OESs are to:
    • Have a clear picture of security of network and information security using the NIS Directive Cyber Assessment Framework or one produced by the Competent Authority
    • Conduct analysis of system and existing security (technical and non-technical)
    • Develop plans to reach security requirements.

The Health Sector is, understandably, a technologically advanced sector which relies heavily on IT systems and networks, often life saving situations.

But the sector is vast; over 80 NHS trusts and 603 health organisation and GPs were affected by the WannaCry incident, with a cost of £180,000 in emergency measures and more than £150 million future investment in Cyber security.

The NHS has 8000 organisations (not all categorised as OES) that are registered with NHS Data Security & Protection Toolkit and have to complete a cyber security self-assessment against the 10 Data Security Standards – to date only 3% have completed.

New legislation on data

In addition, on the 25th May 2018, the General Data Protection Regulation (GDPR) came into effect as an EU wide regulation that has been adopted as UK Law; this law will remain in affect regardless of Brexit.

The regulation is to make all organisations, regardless of size or capability, accountable for how they use/store/access and share personal data.  The regulation affects all businesses that deal in the EU whether an EU country or not.  For the UK Government the Information Commissioner’s Office (ICO) is Policing the regulation; the ICO has the ability to fine organisations £18m or 4% of global turnover (whichever the greatest) if found to be in breach of GDPR.

Special categories

Not only does the Health Sector have to comply with the GDPR, but most of the data it processes with come under the ‘Special’ category; it is likely the 6 of the 8 special categories of data will be collected by the Health Sector in some shape or form.  These will include:

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Biometric data used to identify an individual
  • Genetic
  • Health
  • Sexual preferences, sex life, and/or sexual orientation

Because of this requirement, the Health Sector is likely to be under particular scrutiny to ensure they comply with the Regulation.

How can we help?

The Health Sector has some particular challenges; complying with not only both new legislations, but is also likely to be specifically analysed by a number of Government organisations to ensure compliance.

This legislation will be implemented at a time when NHS capital spend is hugely constrained so a targeted and considered response is required.  

At Turner & Townsend we have a dedicated Health/Security team who specialise in finding, structuring and securing data – from both external and internal threats.  This includes physical, cyber and data security on new or existing, operational assets or the de-commission of old assets.

These are all intrinsically linked – a weakness in one will expose the other.  Security needs to be looked at holistically:

Our experience has shown that there is simply not the internal resource to deal with legislative compliance whilst maintaining BAU. Whether assessing your internal threat, physical ‘layers’, finding and structuring your data through to the procurement of specialist software, we can help you mitigate a breach or attack and help protect your most critical assets. Within the team are CPNI trained physical security specialists, GDPR practitioners and IT and Cyber security specialists.

Having worked across a number of sectors, we have the depth of knowledge and industry best practice to help with any of your security concerns.

Making the difference

As the largest independent built assets consultancy in the UK, we have a proven track record in supporting our clients to obtain sustainable and high quality facilities. We help our clients improve the security of their assets whether in conception or operational.


We are on all of the major UK frameworks, including (but not limited to):

  • Professional Services Framework
  • Crown Commercial Framework
  • NHS Consortium & NHS SBS
  • Consultancy Services Framework