The NHS risks up to £5 billion GDPR fines after it decided it could not afford to implement key recommendations from its own review of the WannaCry ransomware attack.
Admittedly a £5 billion fine is based on the spurious assumption that every GDPR breach would result in the maximum permitted fine of four percent of global turnover, whereas the ICO would look at mitigating factors.
And in the immediate aftermath of WannaCry the NHS did reprioritise £21 million to address key vulnerabilities in Major Trauma Centres and Ambulance Trusts. A further £25 million helped strengthen hardware and software at organisations non-compliant against high severity CareCert alerts. Then £150 million was made available to improve monitoring, resilience and response and a new Security Operations Centre (SOC) initiated.
However the review specifically called for: "all NHS organisations [to] develop local action plans to move to compliance with the Cyber Essentials Plus standard by June 2021, " and it added, "This should be the minimum bar that all health and social care organisations must meet. These plans are to be provided to the Chief Information Officer for health and care by 30 June 2018."
Now documents released to the Health Service Journal under the Freedom of Information Act show NHS Digital opposed adopting the recommendation saying: "While NHSD believes using the CE+ [Cyber Essentials Plus] as a benchmark is useful, getting all providers to accreditation would not be value for money." Meeting the standard is estimated to cost the NHS between £800 million and £1 billion.
So if the lower figure of £800 million were taken as what should be done, and some £200 million is what was done, the NHS may be presumed to have done a quarter of what was expected. It may be that the regulators will accept that a transition period is needed to achieve such budgets, that lives matter more than data, and that the organisation has shown willing and is heading in the right direction - or it could fine the NHS a around quarter of the maximum - say £1.25 billion - for ignoring its own advice.
In an email to SC Media UK, Javvad Malik, security advocate at AlienVault commented: "It would be wrong to say that the NHS has outright refused to implement the suggestions of the ICO in terms of improving security. Rather, that to implement each control as specified would be cost-prohibitive, and that the NHS will implement security controls in a manner that is in line with its budget and priorities.
"It is also worthwhile bearing in mind that organisations that invest more in security don't necessarily achieve better outcomes, as presented in the recent AT&T Business Cybersecurity Insight report vol.8"
Sam Curry, chief security officer, Cybereason agreed that the issue was not so straightforward, telling SC Media UK: "There are only three possibilities. First, it's possible that the advice over-compensates. For all security measures such as this one, initial implementations are introduced and along the way it can slow business and efficiency. In medicine this can be extreme, as interruptions can result in literal life lost. This is easily addressed with a panel to look at choices made.
"Second, it's possible that they have made the right call, accepting some measures and rejecting others.
"Finally, they may have the wrong incentives. Put plainly, they may not care enough. That's not an indictment; it may just be a fact. Are they incented to really care about pursuing privacy and security beyond a binary yes/no answer? How much do they care? Is it a first principle?
"The solution emerges then: make a formal, reasoned statement about the degree of care and the importance of privacy and security. If nothing else, GDPR paints a clear set of signposts at least until Brexit. Then convene an internal panel of players on IT risk and an external advisory group of cyber experts to guide next steps and make this an ongoing process of risk and value trade offs."
William Smart, chief information officer for Health and Social Care made his views known in the initial report that he authored, saying: "WannaCry has made clear the need for the NHS to step up efforts with cyber-security so that every possible protection is taken to defend against a future attack."
So how vulnerable is the NHS, and is £800 million an over-reaction and misuse of scarce resources? On the one hand only one percent of NHS activity was directly affected by the WannaCry attack - though 80 out of 236 hospital trusts across England were affected. On the other hand, the ICO reports the healthcare sector as accounting for the highest number of data security incidents in the third quarter of 2016, with 74 of the NHS’s 239 reports related to cyber security incidents.
Healthcare data continues to be highly valued by attackers who specifically target it as it can’t be changed so has a long life as a saleable product on the darkweb. Consequently the NHS is under constant attack, including by targeted custom-malware, incidents continue to happen, there will be breaches that contravene GDPR and impact data owners. But the NHS prefers to call data-owners patients, and has a mindset that would value a fully equipped operating theatre above database integrity. But delivering its service can also be impacted by cyber-attacks - as WannaCry demondstrated - potentially also making the NHS vulnerable to a second set of fines under the NIS directive, equal to GDPR.
Until hacks demonstrably kill people, switching off life-support and the like, then we shouldn't be surprised if current budget triage systems leave healthcare cyber-security in the waiting room.