A security health check from BT’s Security Advisory Services helped the South West London Integrated Care Board to better understand its cybersecurity posture, bring in key health requirements, and identify its strengths and weaknesses.

In May 2023, the NHS experienced 1383 attempted cyberattacks per week compared with 797 in May 2022, and it’s reported that around 21 million malicious emails are blocked every month. The sustained rise in attacks over the last few years has prompted trusts to check the health of their cybersecurity infrastructure and practices.

The volume and severity of attacks have a significant impact on patients, staff and the healthcare system more widely. From doctors being unable to access medical records to missed diagnoses – the level of risk involved with having inadequate security protocols and defences is huge.

South West London Integrated Care Board (SWL ICB), which oversees the NHS services in south west London, wanted to find a unified approach to tackling cyber threats across the integrated care systems (ICS) healthcare facilities.

To help better understand its cybersecurity posture, bring in key health requirements, and identify their strengths and weaknesses, the SWL ICB partnered with BT to conduct a security health check.

Challenge
The SWL ICB wanted a comprehensive, detailed assessment of its cyber maturity and starting point, from both an individual trust and cross-trust perspective.

This would enable it to identify the potential risks, vulnerabilities and gaps in its IT infrastructure, and define clear actions needed to strengthen their defences, reduce operational challenges, and protect sensitive information, such as patient data.

The SWL ICS includes six individual trusts and separate distinct corporate and GP IT estates, each with multiple stakeholders managing different aspects of cybersecurity, strategy, risk, and governance.

Coordinating activities to ensure that the interviews to capture necessary information was managed successfully while minimising disruption to the daily operational duties of NHS stakeholders was a complex task. The trusts involved also suffer from immense resource strains and a skills shortage which made collaboration more challenging, which is a well-known problem for healthcare across the globe.

“The complexity of our security systems across multiple trusts must not be overlooked. While patient data and safety are at the top of our agenda, it can be tricky to navigate regulations and ensure that all our premises are stringent with security protocols. Support from a trusted organisation like BT was welcomed by our workforce,” said Martin Ellis, chief digital information officer (CDIO), South West London Integrated Care Board.

Solution
BT’s Security Advisory Services team conducted an independent assessment between March and July of 2023 of the SWL ICB’s current security controls.

Its assessment of the SWL ICB used the Centre for Internet Security (CIS) version 8 framework, a set of industry standard cybersecurity controls, overlaid with sections covering cybersecurity strategy, governance, and risk management.

BT also integrated a number of other control frameworks as requested by SWL ICB, including the Data Security Protection Toolkit (DSPT), Cyber Essentials, NHS ‘What Good Looks Like’, and National Cyber Services requirements.

The duplication of questions across frameworks was considered to streamline processes, and any overlaps were referenced to ensure that no details were overlooked.

The output of the assessment was mapped against the National Cyber Security Centre’s Cyber Assessment Framework (NCSC CAF) to identify where recommendations should be implemented. The NCSC CAF provides guidance for organisations responsible for vitally important services and activities.

“Thanks to BT, we have strategic oversight of the security of our ICS providers. This means that we can easily identify areas for improvement and put healthcare outcomes first,” said Ellis.

Result
BT provided SWL ICB with a list of prioritised recommendations to help them improve the resilience of their trusts.

The combined cross-mapping of certifications was praised by NHS England, with other ICS’ now likely to be expected to adopt the same approach to cybersecurity.

BT’s team provided a blueprint for better healthcare outcomes, by giving the SWL ICB an actionable programme.

“We seamlessly managed the project end-to-end, allowing the already stretched NHS staff to focus on where it matters most. Looking ahead, we are working with the SWL ICB stakeholders to successfully implement the recommendations, and the SWL ICB has continued access to our committed, independent cybersecurity experts,” said Deborah Moir, principal cyber security consultant, BT.