Cookies on the NHS England website

We’ve put some small files called cookies on your device to make our site work.

We’d also like to use analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site.

Let us know if this is OK. We’ll use a cookie to save your choice. You can read more about our cookies before you choose.

Change my preferences I'm OK with analytics cookies

Date published : 25 May, 2023 Date last updated : 16 August, 2024 Download as a PDF

Cyber Security

Version 1.1, 25 May 2023

Content

The NHS remains a significant target for cyber criminals. Hackers could be motivated to exploit sensitive patient data or demand money by holding organisations to ransom. NHS networks could also be affected by indiscriminate cyber warfare attacks. Case examples of high-profile cyber-attacks include Advanced, ‘WannaCry’, ‘NotPetya’ and the 2021 Irish Health Service Executive attack.

Everyone in the NHS, including NHS service providers and everyone providing care to NHS patients should, therefore, play their part to ensure that the network is used correctly and equipped to withstand cyber attacks. This must be in a way which minimises disruption to clinical care and, more importantly, minimises the impact on patients.

Most cyber security breaches can be prevented by simple steps, like making sure staff do not use weak or compromised passwords and checking software systems are updated automatically.

Organisations should have plans in place to detect and eliminate malware within their systems. These plans should include measures to minimise the impact of a security breach and to expedite the organisation’s response. Organisations should adopt a ‘defence-in-depth’ approach, using multiple layers of defence with various mitigation techniques at each layer to detect malware and prevent it from causing significant harm.

The risks

Cyber-attacks in the UK are increasing with most industry experts thinking it is not a question of ‘if’ but ‘when’ the next large scale cyber-attack will occur. All staff must, therefore, remain vigilant and take precautions to reduce this threat.

The 2017 WannaCry attack made clear the need for the NHS to improve cyber security to defend against a future attack. The non-targeted cyber attack infected more than 230,000 computers within a day, in at least 150 countries. This included infecting 595 NHS GP practices (8% of all surgeries) along with disruption in one-third of hospital trusts in England. The virus disabled computer systems by encrypting the files and demanding a ransom be paid. Even unaffected computers needed to be shut down to minimise the risk of them becoming infected.

The main vulnerability for the attack was having software which had not been updated, with affected devices having not installed a recent software patch to the then supported Microsoft Windows 7 operating system.

Common cyber threats

Common cyber threats that may target NHS staff or patients include junk email or spam, which are irrelevant or unsolicited messages sent via email for the purposes of advertising, phishing, or spreading malware.

Another threat is malware, which refers to various forms of insecure, intrusive, or hostile computer software, such as viruses, worms, and trojan horses, which are often spread using email.

Using email safely

When receiving emails, it is important to be vigilant and cautious in order to protect against potential scams or phishing attempts. One way to check the legitimacy of an email is to hover your mouse over any web addresses that the email is trying to get you to visit to make sure that they appear legitimate and never open any links from unknown senders.

A tactic used by spam emails is to request personal information, including bank account details or account passwords. It is important to remember that you will never be asked to provide your login details to anyone, so any email requesting such information should be viewed with suspicion.

Additionally, if an email seems too good to be true or uses any kind of urgency, such as asking you to ‘log in now’, this should raise suspicion of spam. Other red flags include incorrect grammar and spelling, and suspicious attachments, which should never be opened from unknown sources or even from known sources who don’t usually send attachments.

It is important to check the sender address and ensure that it reflects the official agency or bank that the email claims to be from. If you are in any way suspicious of the request, you should contact the sender by phone or other established channels to confirm the legitimacy of the sender and the request. It is also important to be cautious if your email address is being used as the ‘From’ address or if the ‘To’ field shows many recipients, particularly if they are unconnected.

Report an email that you suspect to be spam, or suspect may be an attempt to spoof or phish your account to the NHSmail helpdesk. The options for reporting a suspicious email in the NHSmail support site article ‘Reporting cyber threats‘.

Always exercise extreme caution in replying all, or sending to multiple recipients, especially when the communication contains personal data, as this has resulted in many high profile data breaches.

Staying secure online

Everyone should follow the National Cyber Security Centre (NCSC) guidance on staying secure online.

Report any cyber or data security incidents to the NHS Data Security Centre.

Bring your own device

Bring your own device (BYOD) is a local policy that allows staff to use their own personal devices, such as smartphones, tablets, or laptops, for work purposes and securely access the organisation’s systems, applications, and information. While BYOD can provide greater flexibility, it is important to use caution to prevent the transfer of malware to the NHS network or to ensure the security of NHS data.

To properly implement BYOD, staff should:

There are some specific security considerations such as using separate accounts on personal devices used for work, using biometric features to secure the device if possible, and reporting lost or stolen BYOD devices to IT as soon as possible.

Staff should not use devices that have had inbuilt security restrictions changed or removed (known as jailbreaking for iPhones and rooting for Android phones) as this circumvents security controls and may modify the organisation’s BYOD software.

Staff should also avoid connecting unapproved devices to the corporate network, even though these may be sometimes used on guest networks where available.

Working remotely

It is important to check that home working solutions being used are cyber secure and approved by the NHS. The layers of network security are naturally reduced when working remotely, so follow the NHS guidance to ensure work remains effective and data remains secure.

Data Security and Protection Toolkit

All organisations that have access to NHS patient data and clinical systems, including all GP practices and other primary care organisations, must use the Data Security and Protection Toolkit (DSPT). This replaces the NHS Information Governance toolkit as the key NHS data security standard.

The DSPT is an online self-assessment that must be completed annually by NHS organisations. The detail depends on the category of organisation. Its use is required under the Integrated Care Board-GP agreement.

There are many benefits of the DSPT. The DSPT is mapped against international standards, including the ISO27001 standard. This is to make it easier for organisations that wish to undertake best practice to adhere to multiple regimes.

The DSPT also allows the NHS to monitor and target improvement in cybersecurity and aims to drive more cyber-conscious behaviours.

The cost of maintaining data security is likely to be much less than the cost of cyber-attacks or data breaches.

Summary of the data security standards (from the DPST)

Data Security Standard 1

All staff must ensure that personal confidential data is handled, stored, and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.

Data Security Standard 2

All staff understand their responsibilities under the data security standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. Insecure behaviours are reported without fear of recrimination and procedures which prompt insecure workarounds are reported, with action taken.

Data Security Standard 3

All staff complete annual security training.

Data Security Standard 4

Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see.

Data Security Standard 5

Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.

Data Security Standard 6

Cyber-attacks against services are identified and resisted and NHS Data Security Centre advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.

Data Security Standard 7

A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.

Data Security Standard 8

No unsupported operating systems, software or internet browsers are used within the IT estate.

Data Security Standard 9

A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework. This is reviewed at least annually.

Data Security Standard 10

IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the data security standards.

Business continuity and disaster recovery

All NHS organisations must have business continuity plans in place so that they can maintain their services to the public and patients in the event of both large and small incidents. This could be because of cyber-attack but also loss of services (electricity, heating, water, internet/HSCN, telecommunications), infection outbreaks, staff absence, fire and flood, and the more unlikely scenarios of chemical, nuclear, biological, and radiological attacks/accidents.

Having business continuity plans in place is a crucial aspect of an organisation’s contractual arrangements as a provider of NHS funded care. These plans should cover various scenarios such as alternative access to systems, operating without systems, moving the site and continuing care, prioritising care when only skeleton staff is available.

It should also consider communication methods for different scenarios, backup options, lines of reporting and control, and the help that is available and how to access it.

The Cyber Security Services Framework offers a complete range of external support services to help NHS and wider public sector organisations manage cyber risks and recover in the event of a cyber security incident. Through design, delivery, testing, governance and assurance, it enables service continuity in patient care by ensuring patient data is secured, and critical services and systems remain available.

Practices may choose to develop their own plans or reach out to their commissioners or local area teams, some of which may have developed template business continuity plans.

GPIT operating model

Under the terms of the GPIT operating model, practices have the following responsibilities for data and cyber security:

Integrated care boards/commissioning support units should provide the following support for practices in relation to cyber security:

What patients need to do

Patients should follow the advice of the NCSC on staying safe online.

If patients disclose any cyber-attacks to NHS staff, such as phishing or smishing attacks by individuals impersonating the NHS, they should be encouraged to report these scams to the NCSC.

Staff should also report any threats to the NHS Data Security Centre by emailing cybersecurity@nhs.net.

If patients have lost money or have been hacked as a result of responding to a phishing message, they should report it to the police. In England, Wales, or Northern Ireland, patients can visit www.actionfraud.police.uk or call 0300 123 2040. In Scotland, they should report it to Police Scotland by calling 101.

Related GPG content

Other helpful resources

Videos

Websites

NHS Digital pages

Other