Cheshire and Merseyside Health and Care Partnership asked Gemserv Health to put together a scenario-based cyber security exercise that started with some bad news, but uncovered a lot of useful information
It’s 8am and it is as a nice day – until you turn on the radio.
The news has just started, and the lead story is that a video has been released showing a group of NHS leaders making worrying remarks about a COVID-19 vaccine.
They seem to be suggesting that safety issues are being covered up, and the share price of the vaccine maker has crashed 10% overnight.
The phone then starts ringing and it’s a press officer wanting to know what IT is going to do about this leak, or fake, or whatever it is…
Cyber attacks spread, fast
This is the scenario that greeted 22 heads of IT in Cheshire and Merseyside earlier this year.
It was constructed by Gemserv Health, with input from Cheshire and Merseyside Health and Care Partnership, to find out how the integrated care system would respond to a cyber-security incident.
Paul Charnley, digital lead for the ICS, explains that commissioners, councils, hospitals and other providers in the area have their own policies and procedures in place. But the ICS does not have an overarching response that was tested and ready to use.
“NHS Digital has a data protection toolkit that requires every organisation to plan for and rehearse its response to a cyber attack, but one of the things that we learned from WannaCry is that a cyber incident can impact a large geography, very quickly,” he said.
“We need to be able to co-ordinate.”
He adds: “The exercise that we ran really brought that to life.
“It was very salutary and very helpful, and it has given us a lot to think about.
“We have learned a lot since WannaCry, but we are in an arms race with the hackers, and we’ve still got more to do.”
WannaCry was the worldwide ransomware attack launched in May 2017.
It didn’t target the NHS, but the National Audit Office estimated that 34% of trusts in England were impacted anyway.
One reason was that the NHS employs a lot of people; with 1.3 million staff and it had a lot of malicious emails to contend with.
Another was that WannaCry spread through older, unpatched Windows systems; and the NHS had a lot of those in computers and medical devices.
However, a third problem was that there was no co-ordinated fightback.
The NAO reported that the Department of Health had been working on a plan, but it hadn’t been tested at a local level, so ‘it was not immediately clear who should lead the response and there were problems with communications’.
We have learned a lot since WannaCry, but we are in an arms race with the hackers, and we’ve still got more to do
And some trusts couldn’t be reached by email ‘because they had been infected by WannaCry or had shut down their email systems as a precaution’, leaving a mix of switchboards, mobiles, and WhatsApp as the only way through.
Only as strong as the weakest link
IT leads in Cheshire and Merseyside wanted to do better.
“After WannaCry, we swore that we would work more closely together, under the tagline: ‘we are only as strong as our weakest link’,” said Charnley.
So the 22 heads of IT in the area agreed to standardise their policies and procedures, and to pool any funds made available by the NHS, to make the money go further.
Cheshire and Merseyside HCP is now working with NHS Digital on a target cyber-security architecture and on a procurements process to deliver the strategy.
This has enabled individual organisations to work to a standard on one of two security information and event management systems: one medical device protection product; and one single sign-on product to give staff secure access to clinical and administrative systems.
“We have worked on our strategy and then we have moved to manage our supplier market and our procurement teams to buy in harmony with that,” said Charnley.
“Gemserv has supported both the policy and the business models.”
Finding the gaps
Cheshire and Merseyside HCP is now better protected against a cyber attack than it was five-years ago; but the mantra of cyber security is not to ask ‘if’ a cyber incident is possible, but ‘when’ one will occur.
The scenario-based exercise was designed to find out how ready the ICS is to deal with an attack; and whether IT leaders across the patch are clear about who will lead the response and how they should communicate with each other.
Before COVID-19 arrived, the ICS had been looking to run a physical event, but, because of the pandemic, it moved to Microsoft Teams.
And five virtual breakout rooms were set up for organisational teams to use, and the scenario was fed to them.
Unfortunately, the attackers only need to be successful one time in 100, whereas the defenders need to be on their game 100 times out of 100, so it’s an unequal game of cat and mouse
As the event went on, the teams also received ‘injects’ of information to take the scenario in a different direction and test their ongoing responses.
They got some ‘good’ news: the video didn’t feature local executives and was instead a ‘deepfake’.
They also received some ‘bad’ news: one of the executives who had been deepfaked had also been spear phished.
His email and that of his contacts had been targeted and a route was open for a ransomware attack.
Not if, but when
Charnley said that, on the day of the cyber scenario event, years of hard work in Cheshire and Merseyside paid off.
IT teams were able to mount a more-co-ordinated and coherent response to the Gemserv scenario than they were to WannaCry.
They also had better tools to use.
However, the exercise showed there were gaps to fill.
The area turned out to be short of some specific cyber security expertise out of hours.
And there were still questions about how decisions would be made that were big enough to require sign-off from Government departments in London or the NHS’s central bodies in Leeds.
It emerged that health and local authority incident response planners needed a cyber playbook to put alongside the playbooks they have for dealing with train wrecks, chemical spills, or even nuclear incidents.
Gemserv Health is now helping to write one, and when it is ready, Charnley wants to test it by running the exercise again.
“Gemserv told us that the military builds things and then attacks them,” he said.
“It costs millions of pounds and we don’t have that kind of money, but we can learn a lot this way.
“I want to do this every six months – certainly every year – and I think every ICS should be planning to do the same.
“I’d definitely encourage others to follow this model and this approach.
This was the first time a cyber breach and response scenario of this kind has been done at ICS level in the NHS
“We wanted to work with an external partner because it’s easy to be insular or to play to your strengths in these exercises.
“Having an external view was very helpful. It gave us a lot of things to think about.”
Staying on top of the game
Prior to the event, Gemserv used its expertise in working across many different public sector and private organisations to create a policy and process document for Cheshire and Merseyside HCP to adopt.
It liaised with the ICS’s leaders and NHS Digital to develop a bespoke and realistic multi-pronged scenario.
“This was the first time a cyber breach and response scenario of this kind has been done at ICS level in the NHS,” said Andy Green, Gemserv’s chief information security officer.
“We went from looking at a damage-limitation perspective to a malicious insider to a full-blown cyber attack.”
NHS colleagues from other ICSs around the country also took part, to consider their own emergency preparedness procedures.
“It’s a continual challenge to stay abreast of what’s happening and it’s an asymmetric problem, unfortunately,” adds Green.
“Unfortunately, the attackers only need to be successful one time in 100, whereas the defenders need to be on their game 100 times out of 100, so it’s an unequal game of cat and mouse.”
Read our latest insights into the Health sector by clicking the link below.