I will be exploring the role of clinical informatics and the bridge it builds between the frontline and technical teams, what happens in the event of a cyber-attack and the impact on frontline services, and how nurses and other staff can help to make the NHS more resilient.
There is no doubt, the NHS is under immense pressure at present. So, before I go on to talk about the importance of cyber security, I want to make it clear that I understand the pressures that are faced by those on the front line.
“Cyber security is an ever-increasing risk for the NHS as we further digitalise services”
Thousands of patients rely every day on frontline staff including nurses, doctors and allied health professionals for their health and care needs.
Although patient care is the primary focus, it is everybody’s job to ensure we protect the networks and systems within our organisations. This ensures additional pressures are not put on NHS services.
Cyber security is an ever-increasing risk for the NHS as we further digitalise services – with perpetrators targeting system suppliers, but also NHS organisations directly.
Both have the potential to bring systems and, therefore, services to a standstill if we are not fully prepared.
It is imperative that we build resilience across the NHS to reduce the likelihood, but also the impact when a cyber-attack happens.
The role of clinical informatics and the bridge it builds between the frontline and technical teams
As a clinical informatics manager, it is my job to work with Cyber Operations to look strategically at how we defend as one. This includes development of training through to working with frontline clinicians when a cyber-attack occurs, ensuring patient safety.
As a physiotherapist, I continue to work weekend-shifts clinically, so I sit as a conduit between the technical and the clinical. I’m here to offer advice on cyber security, but it’s often more about listening than preaching.
A lot of my role is understanding the difficulties clinicians face when simply trying to treat a patient. Then evaluating how cyber can be protective, but minimising the restrictions it can cause. Ultimately, creating something that works, but is secure.
For those times when our security is compromised, it is also about understanding what is required to maintain service provision through business continuity plans.
By having structured alternative processes in place, it reduces the impact of these attacks. Believe me, evidence from previous incidents suggests paper must be the very last resort!
My path from clinical to digital
People often ask me how I moved from physiotherapy to cyber security. I was a physiotherapist in multiple trusts, both acute and community for more than a decade. I then moved into a clinical change manager role within an acute trust digital services team.
This basically meant I was considering clinical impact and safety when implementing digital changes or new products purchased. I am a big believer that anything put into services has to work for the staff using it.
From there, I moved to be the clinical lead for a trust’s electronic patient record system, where I led the implementation and supported the ongoing development.
Following this, I moved to NHS Digital to be a clinical informatics manager; within this role I lead clinically for cyber operations at NHS Digital. NHS Digital has recently migrated into NHS England.
“Could clinical informatics be for me?”
For someone to move into clinical informatics, they need to have an interest in digital. Although my role is specific to cyber, there are many different roles within the clinical informatics arena at all levels of the NHS.
A good starting point is the clinical input required at a trust level. This may initially be supporting digital changes your department are undertaking to get a sense of what is involved.
Progression from this may include a clinical change manager role, right up to chief clinical information officers. A specific role for nurses would be the chief nursing information officer.
“It is about understanding what impact something digital may have on a service or patient”
Nursing staff are crucial in these roles to ensure that what we are doing is firstly safe and also the right thing for our staff.
It’s no use implementing a highly complex system that has all the essential functionalities to manage a patient if it can only be used by highly specialist technical staff.
The fact that frontline staff will not be able to use the system to its full potential (or at all) means the trust will fail to maximise the use of the system – potentially causing disruption or safety risks.
Ideally, an individual wanting to move into a clinical informatics role would understand that technology can benefit patient care and have a real interest in how it can be improved through digital means.
A lot of people I meet think that the role needs highly complex knowledge of technology, but it is about understanding what impact something digital may have on a service or patient.
I always got a great deal of satisfaction knowing that I was doing something that would help to improve the working day for my colleagues.
Working on the frontline, you often hear colleagues complaining that something is taking too long or is not working as it should. I love being part of the process that helps to address these issues.
The life of a clinician is very structured with standards and processes. As a result, it can be difficult to know how to make suggestions for improvement and even harder to get your voice heard.
Getting involved in clinical informatics is a fantastic way of helping to make those improvements and ensuring that your voice and your colleagues’ voices are heard.
Often the best suggestions come direct from the frontline – where people have battled with an issue for a long tim, and, therefore, have a good understanding of how things can be improved.
What happens in the event of a ransomware cyber-attack?
All cyber-attacks are different and there are many different entry routes that attackers use to access networks and systems. These can be to cause political disruption or for financial gain, but never forget the insider threat!
There are, however, normally two key elements to most ransomware incidents. The attacker will first come into your system or service and likely attempt to steal data.
They will then lock it down by infecting your system with ransomware, making it unreachable by the staff that use it – before sending a ransom note offering to unlock it for financial gain.
“The most important thing is that these suspicious emails are reported”
The NHS has a no pay policy, but it doesn’t stop people trying. Everyone knows that you shouldn’t click on dodgy links within emails, but the law of averages says that if 5000 emails are sent out, one person will click on it.
The most important thing is that these suspicious emails are reported, so that we can remove them across the system.
If someone reports a malicious email quickly (by clicking the “report phishing” button or sending to firstname.lastname@example.org) we can remove it before that one person clicks on it.
Another way that attackers work their way into a system is by brute force – when they attempt multiple common passwords until they get the right one.
This is why it is critical to not use passwords such as Password1 or Abc123. There will be someone reading this article that uses one of these.
Make sure your password has some complexity, but also not written on a post it note above your computer at work. It sort of defeats the point of a password.
The National Cyber Security Centre (NCSC) has some useful guidance on using three random words to create your password.
If a criminal does gain access to a network or system, the faster we are made aware of it, the faster we can try and get them out of it and potentially the less damage that they will do while they are in there.
If you see anything suspicious (both physically or on a system) it should be reported to technical teams immediately.
Impact on the frontline
All organisations have business continuity plans in some form, but all too often they are designed to last a couple of days maximum.
The question is, what happens if a system is unavailable for a day, a week, a month, or 3 months? It has happened and will happen again.
All NHS organisations really need to consider what they would do if their electronic patient record was unavailable for a month. As a nurse, how would you treat your patients in this scenario?
Normally, the first plan is to revert to paper, but you have to consider the effort required to put 100,000 documents back into a system when it is up and running again.
How many people would that take and for how long? As a clinician, everybody knows a colleague with handwriting that MI5 would struggle to decipher.
What happens if you are unable to get your blood results because the pathology lab has become unavailable?
What happens if you can’t get your radiology images or report because the PACS system has been locked?
I’ve been impacted by systems being unavailable and it’s not only stressful, but it also increases the risk of patients not being treated correctly.
I’ve seen staff become ill and unable to work when facing these types of pressures. Everyone has a breaking point.
Cyber security is not just about protecting systems. It’s equally about protecting staff, so that they can continue to provide the best possible patient care.
The more we can do to increase service and system availability, the more it reduces the chance of us getting to that breaking point.
And what about the data?
Ransomware cyber-attacks are not just about system unavailability. There’s also the extortion of the data to consider as well and the potential clinical impact this can have on both patients and staff.
The NHS holds a lot of sensitive data – from mental health information to safeguarding concerns. If that is released it could put patients at risk and cause distress.
It’s not just patients though. It can also affect staff as well. If a trust’s HR and payroll systems are compromised, there’s a risk that an employee’s bank details could end up in the wrong hands.
This obviously isn’t unique to the NHS. Every HR team in the world, unfortunately, faces these same risks.
But once somebody has your personal bank details or identity information, there’s the potential for them to empty your bank account, take loans out in your name or even steal your identity.
To prevent this from happening, we need to stop the threat getting into the system by being vigilant. This includes questioning when things appear too good to be true or just don’t feel quite right. This is the case for everybody in both work and home life.
Reconnecting a system after a ransomware cyber-attack
Once a ransomware cyber-attack has happened, there may be a number of steps that have to be taken before you can get the affected system back online.
People often think it’s just a case of turning everything back on, but it’s much more complex than that. The first step is to contain the environment to ensure that the attacker is no longer in the system.
It might be that they’ve come through a certain route and we need to block that entrance to stop them returning.
Sometimes attackers put in what we call a back door, so that when their original entry point is blocked, they can continue entering via this back door.
We need to be sure that we’ve closed off all viable entries. In order to do that, the supplier or organisation involved might need to rebuild or replace software/hardware, or introduce additional firewalls, for example.
There may be a need to add multi-factorial authentication to the system, so that staff need two pieces of data to enter the system.
And, if the organisation doesn’t have the appropriate patching in place, we might also need to do that.
We then need to do a forensic analysis to see how they got in, where they’ve been and what they’ve done and whether any data has been stolen.
Timescales here depend greatly on the size of the system affected. It’s an extremely busy time.
How nurses and other frontline staff can help to make the NHS more resilient
It seems obvious, but identifying suspicious emails is so important. If it doesn’t look right, it needs to be reported and then deleted. The sooner things are reported, the quicker we can take control.
It’s also important that everyone does their information governance/security training to keep up to date with the latest information.
The use of multi-factor authentication is now used by us all on a daily basis – from logging into internet banking to accessing social media.
“As trusts digitally mature, the knowledge of the workforce needs to mature at the same pace”
Also known as two-step verification or two-factor authentication, it requires a password and second piece of information, for example – from a phone or smartcard, to enable a user to log into an account.
It’s a simple addition to any login process, but it could make all the difference between your patient being protected and a threat actor stealing their data.
We’re so used to using multi-factor authentication for our accounts at home, so why would work be any different – especially when you consider the amount of sensitive patient data we deal with on a daily basis?
An ID badge might seem like an innocuous piece of plastic, but it ensures we are able to identify people in their place of work. It is, however, also a target for criminals who are looking to gain unauthorised access to buildings or systems.
Have you ever shared a photo of your ID badge? Do you have photos on social media of you wearing your lanyard and ID? Just don’t do it.
It’s a bit of a cliché that we say: “cyber security is everyone’s responsibility”, but it’s so true.
An attacker doesn’t care whether you’re a chief executive, a nurse or an HR advisor. They’re just looking for vulnerabilities to exploit. They will take patient records or personal staff information. Both are desirable.
From my point of view, it’s also important that frontline staff who have an interest in clinical informatics are supported and given the opportunity to go on the relevant training courses.
As cyber threats evolve, these are the people who are going to be crucial in terms of keeping the NHS safe.
Clinical informatics roles will become more and more important as we progress digitally, so we need to ensure that there are clear development paths as well as recruitment campaigns designed to inspire those individuals who may be interested in developing in this area.
As trusts digitally mature, the knowledge of the workforce needs to mature at the same pace. Unfortunately, the speed of this cultural change varies greatly across trusts.
Some, for example, have huge financial constraints, so becoming digitally mature just isn’t a top priority. But if recovering from a cyber incident costs a trust a million pounds, the few thousand pounds needed to fix the initial issues seems like a drop in the ocean.
If your main pressure in a hospital is trying to increase bed availability because A&E is over capacity every day, then you’re probably not going to prioritise cyber changes. However, if these changes keep the lights on, are they worth prioritising?
I can understand it. Trusts are focused on remedying problems that are live at that time, rather than cyber security which is usually measured by the risk of something happening.
The problem is that, when cyber security does become a live issue, the amount of resource (both financial and staffing) increases exponentially and has the potential to make the bed situation a whole lot worse.
It’s, therefore, vital that all NHS organisations strike a balance between addressing live issues and preparing for the event of a cyber-attack – because unfortunately most will be affected by an attack in some way or another in the coming years.
Chris Day, senior clinical informatics manager, Cyber Operations team, NHS England