Cyber security is just an IT problem, right?

Mike Fell, NHS England:   
Welcome back to The Cyber Sessions podcast. I'm your host, Mike Fell, Exec Director of cyber operations at NHS England. Every day millions of patients benefit from the NHS digital transformation, from GP appointments to hospital treatments.

Technology is revolutionising healthcare delivery for the better. But with this digital evolution comes responsibility. While our cyber and IT teams work tirelessly to protect our systems. Today, we're going to be exploring a critical question - Is cyber security just an IT technology problem or does it go beyond that and I'm delighted to welcome 3 experts to help unpack this question. Tej, would you like to introduce yourself? 

Tej Gudka, NHS Arden and Greater East Midlands Commissioning Support Unit: 
Yeah. Good afternoon, everyone. My name is Tej Gudka. I'm Head of Cybersecurity at Arden and Gem CSU.

Mike Fell, NHS England:  
Thank you very much. And Sam?

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
Hi, Mike. So I'm Sam Robinson and I am the Chief Digital Information Officer at Yorkshire Ambulance Service.

Mike Fell, NHS England:   
Very great. Good to have you on the podcast today and Mark.

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
Thank you.

Mark Logsdon, NHS England: 
Hi, good afternoon. My name's Mark, Mark Logsdon. I'm the Chief Information Security Officer for NHS England.

Mike Fell, NHS England:
Great so I'll kick off with an easy one to get the get the conversation juices flowing. So what does good security actually look like?

Mark Logsdon, NHS England: 
So it's an interesting question which you know, I've been asked several times before.

And it's not for me necessarily about having a given qualification or certification or whatever. For me, it's about a conversation.

Good security looks like having a conversation between various stakeholders from across the business, be they, you know IT, be they in commercial be they in operations of some sort wherever it happens to be - all those parties coming together and obviously including ourselves as security people coming together to decide and kind of oversee the most appropriate levels of security for the organisation, given what it does. And that conversation, as I say, can't happen in isolation, it has to happen collectively and I think that to me ultimately is a sign what good security looks like when those conversations happen.

Mike Fell, NHS England: 
I think that is a very sound basis for it. I think back to doing a masters in security when I had security defined to me as the freedom from fear. And I think what you say there Mark goes a lot further than us just not being scared and I think that's that's right does that I mean Tej, Sam as folk who work elsewhere is that what differentiates good and bad security for yourselves?

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
Yeah I would agree with Mark on that, but in addition to that really good cybersecurity looks like when it's become second nature to everybody that way that you think about things and the way that you go about your own business and delivering whether it be healthcare or back office services, knowing that security is a second nature thing that you consider. I mean, we know we've been successful when that when that happens.

Mike Fell, NHS England: 
And we'll come back to the cheesy analogies later on, but it's the hand washing before you see a patient thing, isn't it? It’s nature and always done right. So, obviously, hand washing that analogy, that's the clinician's responsibility. And at the heart of this is where the cybersecurity is just an IT professional or a cyber team problem. So in respective roles that that cut across this in different settings, I'll turn it around a little bit. We don't always get this right, but it's inevitably some blame, some fault or some criticism of it. Who's fault it that we're not getting security, right so far?

Tej Gudka, NHS Arden and Greater East Midlands Commissioning Support Unit:
As much as it's everyone's responsibility, I think that there is some accountability as well with cybersecurity, which is really important, that people take personal responsibility. A lot of people now understand the importance of cybersecurity for themselves. Maybe when they log into their banking and we also have a lot of important information that we're protecting in the healthcare sector. So I think it is about people taking responsibility at home and at work.

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
When I joined Yorkshire Ambulance service in the summer, I met with the chief exec and one of his three priorities he shared with me was cybersecurity. So it was on his agenda. And so if it was his priority and it was also my priority, it was really important to me that I made sure that the board also saw it as their priority because I do believe and as part of this discussion, we'll cover it more. It isn't just an IT challenge. It has to be shared across the whole organisation.

So I actually took advantage in my first couple of weeks of the NHS England offering to bring training to the board. So we had an NHS England person come along and do a dedicated board session about cybersecurity awareness and responsibility of the board and that was absolutely fantastic because in that room I had the Director of Strategy, the Director of Finance, the Chief Operations Officer.

All of them understanding that for us to be really successful as an organisation with our cybersecurity agenda, it was going to take us all to work as a team and to understand our own responsibilities, so that should set us up then for success to make sure that we really do deliver for our patients and keep everything as secure as we can.

Mike Fell, NHS England: 
Yeah. And Mark, I will come back on because I suspect there's some challenge around everybody responsibility bit. I'll just pick up on the board bit because and thank you for calling out that dedicated national offering that is there. Board members are not only uniquely vulnerable in terms of them potentially being targeted by people because of their high profile, something which we can address through that, but inevitably uniquely well positioned to be making those hard calls and so I think you, you, you're absolutely right to call out that. Mark, did you want to say something about cyber being everyone’s responsibility?

Mark Logsdon, NHS England: 
I just want to pick up on the word ‘blame’ a little bit and actually I think for me it's more that we should be creating an environment in which people can operate, do their job in a cyber secure type of manner.

If one thinks about cars for example, they are now designed such not only the driver in mind, but the pedestrians in mind in case anybody’s hit to ensure that minimum damage is done, that the steps are taken, you know, around automatic braking, seatbelts a whole host of measures that have come in place that kick into force when and do accidents do sadly happen. Yeah. And I think, you know, we should be thinking about creating similar environments whereby people can operate pretty much freely, but also understanding that accidents will happen from time to time. I think I'm right in saying that Volvo have got this strategy where they say that nobody should die as a result of a crash within a new Volvo car.

And they are seeking, they are seeking to create that that environment. You know that car to do that and I think that's something we can look at more such that we don't allow, for example, fishes to arrive on a on a desktop and so forth. You know more in those sorts of areas where we create that environment such that then the blame goes.

Mike Fell, NHS England: 
Correct, weak passwords feature time and again in incidents in healthcare as they do in the wider sector. And yet, as you say, identifying the root cause here, is the root cause that weak passwords are being used or is the root cause that systems are allowing weak passwords to be used.

So I mean I think we're touching on the point that engaging with people with staff.

Whether it be to train them about protecting themselves at home, or whether it be influencing the most senior leads in the organisation to prioritise this is important and at the heart of good cyber but not always easy to achieve, and indeed doesn't always work. I'm particularly reminded of some of the phishing simulation exercises that have been pilloried, or, for example, you know, offering spurious bonuses and then going gotcha when somebody inevitably kind of opens the link on it so I think it's easy to kind of kind of criticise what hasn't worked well but maybe harder to find actually the really good examples. So what are the initiatives that that you've seen about engaging staff in this topic that have really worked and landed?

Mark Logsdon, NHS England: 
I've seen some good examples that work really well which are different. We are bombarded every day with corporate messages. And as a consequence, we need to ensure that our messages rise above that noise somehow and get heard. Because, many of our messages, quite frankly, can be a bit dry and also that way we deliver those messages sometimes have to be in a way which the consumer can choose to get them at a time and a place of their choosing.

So what I'm trying to say is the old one-size-fits-all, let's do a call, sort of tick a box I don't think works terribly well and in light of that I was, and it's not as expensive as perhaps one might perhaps imagine, I was involved in creating writing a book of short stories on various topics in cybersecurity which set them in a different historical context and none of them were more than 500 words long, with one exception. And it's sort of highlighted in a different way, all the issues around business continuity. So there's a business continuity story set in the Palace of Westminster around the Gunpowder plot. If you think about which is, you know, as a business continuity DR type story and publish that in numerous different formats, hugely successful. We had a global reach with that, believe it or not.

And I think we need to look at similar innovative ways to I've also been involved in creating games online gaming.
Where you became a part of a phisher and so forth. And I think there's a whole bunch of things that we could think about doing in that space, which moves away from the automated PowerPoint sort of slide type approach.

Mike Fell, NHS England:
I think there's an increasing recognition of the psychology of this and the neuro linguistic ability to use nudge theory to use some of the cognitive biases and things that people enjoy - the gamification bit, isn't there in doing that. I mean Mark you touched there on a really important point and Tej, I know you’ve got coverage of primary care, of GPs and that that have different challenges, to be blunt, from the desk jockeys like Mark and I, who sit at computer screens all day to absorb this stuff, and Sam, similarly you've got a different customer base with paramedics. So what's the things that have worked those communities?

Tej Gudka, NHS Arden and Greater East Midlands Commissioning Support Unit:
So for me, Mike, one little exercise we tried in a GP practice was to, with the practice managers blessing, put a sweet on keyboards where desks had a clear desk. Machines were shut down correctly and made sure there was no patient identifiable information near those machines around the GP practice.

The next day, it followed a conversation, why have you got a sweet on your desk? And we followed it up with some comms to say if you had a sweet on your desk, it was there just to prove that you'd done a really good job of keeping your desk clear and use that as a conversational type way of striking conversation within the GP practice and that's spread across all of the staff, not just the actual GPs themselves. And that was a really simple, non costly way of just sharing a simple idea of a clear desk policy.

Mike Fell, NHS England: 
Yeah, again, there's playing to those human behaviours, isn't it? Who doesn't love a sweet? Treats work with my dogs and children and I won't judge which is more successful in the training world between the canine world and the kid world but I think that's a great example. 
And Sam?

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
So I mean, I'm still relatively new into post, but it is a challenge that faces me because not only do I have a dispersed and mobile workforce, but they're across the whole of Yorkshire. There's over three and a half thousand mobile staff.
All out on the roads, so I do have a challenge in how I'm going to be addressing this with all of the different types of staff.

However, I am a big believer in the storytelling Mark, as you've just alluded to, and also making things really, really relatable.
Because actually we can have a shared responsibility about making sure that our staff understand security for their own personal banking, social media, et cetera, because that has a direct impact on their well-being and then how they turn up to work each day. So if I can make the cyber agenda really relatable to people in their home life, that means that that training will then be baked into how they use the work technology. How they use their laptops and iPads and how they change their passwords. So I think my agenda is going to be about making everything as relatable as it as it can be and using storytelling.

Mike Fell, NHS England: 
Yeah. And that relatability links into language, doesn't it? And I think that using the right language is the key to this. And I think, you know, there's phrases like humans are ultimately a storytelling animal.

Samantha Robinson, Yorkshire Ambulance Service NHS Trust
Yes.

Mike Fell, NHS England: 
Mark and I work very closely together and I think we have the, unfortunate, maybe accolade of being known as the as the greatest analogists in the organisation. Some that come to mind for me, one of my favourites is about we seem to be still finding ourselves having wet feet walking down the street, complaining that we spent an awful lot of money on an umbrella wondering why we've got wet feet when it's raining? And that being because we've got holes in our shoe’s leather. Using that as an analogy to say that this is not just a cyber problem, have to invest in your IT and your foundations to manage this risk. And I find those personally really powerful actually in in simplifying complex topics into ways.

So. no judging, no marking going on. What's everyone’s favourite? Mark, I know I'm going to start with you because I know you've got a couple of good ones up your sleeve that I'm sure will be worth sharing.

Mark Logsdon, NHS England:
That's put me on the spot. I mean what I most recently described the sort of approach to an early approach when we was trying to understand how an incident was working, to physically understand how the attack was to work, and what the attackers was doing, was to compare it to putting out some sort of like virus or whatever into a petri dish and where you recognise that you kind of have to let it grow for certain lengths of time to figure out what's the best treatment at that particular time, you know for the for the patient, recognising that you could do something now but actually longer term, that probably won't cure the problem without knowing the full extent of what the virus, how the virus operates and being able to do some research.

And saying during that period of time, clearly there's, you know, a point comes where, you might have to look at the patient and say, well, we've got to do some something anyway before we know the full answers and so forth to stop, going too far. And that seemed to resonate quite well to be honest and people understand that.

But I do think it comes back to this point that that Sam was making about making it relevant to the audience and talking to something that they, you know, understand and to that point, you know it would be quite frankly ridiculous if we were to put out some sort of awareness campaign that was based upon how one uses, I don't know, the Summary Care Record on an iPad on the in the back of an ambulance and push that out to staff within NHS England. It's got no relevance in many ways to them at all, and they'll soon quickly switch off, right.

So I think it is it is that having that sort of relevance and trying to understand the audience, where their skill sets lie and trying to make what you're talking about relevant to them. So I think it's the two are really and I choose wherever whenever possible to use analogies and whatever and bring it a bit simple maybe because I've got a simple brain I don't know.

Mike Fell, NHS England: 
So I think in life it's easy to complicate, it's often very hard to simplify, isn’t it? I know that’s something that we suffer from. What's the other good examples that we've got here? Sam? Tej? What's your favourites in this space?

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
But I think as the kings of analogy in the NHS I'll set you the challenge of finding me an urgent care ambulance analogy that I will can use in my campaign. I mean, I've always been a fan of saying, you know, there's no point in bolting all your doors thinking that you're secure when your windows are open, because it's really true. We can get ourselves so caught up in building those defences without actually realising that we've just got something behind us that we haven't noticed and that really resonates for me with an IT Ops background.

And in patching, it's just such a critical thing that we keep ahead of and we sometimes we had to slim down on it or we don't prioritise it. So all the cyber defences in the world that we put in place, if we haven't got patching up to date that really opens us up wide.

Mike Fell, NHS England: 
Yeah. And on the fly on that one, Sam, what I would say is that quite often, cyber is about the ambulance is rocking up on the blues and twos and rescuing people and taking them to the cyber incident response functions to do the recovery. And actually what arguably we need to invest more in is the public health messaging and the early getting eople eating healthily and that. So you can have that one for free.

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
There you go. Thanks Mike.

Tej Gudka, NHS Arden and Greater East Midlands Commissioning Support Unit: 
Yeah, I have an example I was trying to share with people. Don't use the same password. I mean you can say that many times, but often people don't listen. So I did on an occasion where I was speaking to a number of finance professionals within the NHS was went to ‘Have I been pwned’. It's a website where you can go to and actually show them breaches or previous breaches of e-mail addresses.

So firstly I got them to put in their personal e-mail addresses on their own screens and a number of websites came up. So things like LinkedIn and other websites have been breached in the past. So I gave them the analogy if you use the same password on LinkedIn to other systems like your work systems, the bad actor may come back and try that same password if it's been breached on other systems. And I think that really hit home to individuals to say using the same password on different systems can be a real risk. So that that was an example I tried to to use a little bit more interactively to show them their own story.

Mark Logsdon, NHS England: 
I think there's another thing as well in this. That is about the language we use, so you know cyber folk are really clever at using fancy words and terms, which are often, you know, impenetrable to an audience outside the profession, as it were. And the one I kind of always think about in that space is, you know, we've used it many times, is social engineering, right and all that sort of stuff. And, when she was alive, God bless her, you know, I used to think well, what would my old mum think of that, would she know? Not, not at all.

But if I spoke in terms of common fraudsters and tricksters, right, immediately gets it. It's just the same thing. But no, we have to dress it up and then, you know, we've gone mad with the old phishing. We can't even spell it properly, right. But, you know, we have to have to spell it differently, but then gone from phishing to spear phishing to whaling and so it goes on and it, you know, frankly, whaling again, you know, as a term we we're kind of cool with it. Yeah, I get that. But what's the common usage outside of that environment? And it does make it impenetrable to people, and I think we've kind of got to demystify some of that, really.

Mike Fell, NHS England: 
I think I think you're bang on. I think there's some great examples there of different ones. Indeed, Mark, one of your, the first ones that I recall when we met was your, statement that why are brakes put on cars?

Mark Logsdon, NHS England: 
Oh yeah.

Mike Fell, NHS England: 
Being brakes are on cars to make the cars go faster, not to make them go slower, and I think again that's, you know, back to the what's good security, good security is the brakes that are there to make the business go faster, not there to act as an a drag anchor on it. But I did see that publicly quoted elsewhere many years after, so, as you also say, success has many parents. So I think that one is out there in the wild with many taking credit for it now, which is a success because it means people are talking about security. 

So we've touched on this a little bit already kind of in terms of engaging with people and getting the right messaging. But by design each of the organisations you represent have got unique security challenges and I'm not going to ask you expose your passwords, expose your vulnerabilities as to what the challenges are necessarily, but I think it'd be really interesting for the, for the listeners to hear.

What makes cybersecurity particularly difficult in the organisations that you're operating in?

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
OK, so we have shared devices in the ambulance service at the moment and the challenge with using shared hardware is it sometimes becomes nobody's responsibility. So we're moving away from that onto individual issue devices and I think that's really strong because people will get that sense of responsibility and they'll know it's up to them to take care of things. And that's for the education comes around with it as well.

But as I mentioned before, we've got, you know over 3,500 thousand mobile crew at around Yorkshire. And so making sure that we put all of the support in place for them so that they can work rapidly and safely and deliver critical patient care is really important and really quite challenging. So I think for me the biggest thing is that spread out disparate workforce whose primary focus is to deliver critical care.

Mike Fell, NHS England: 
Yeah, and I think you know inevitably you're towards the end of a spectrum of an operating environment that people would recognise, certainly office-based workers, and that, it’s all about the availability of things, the speed of an ambulance arriving and the prioritisation. Those are really kind of different ways of handling the same challenges and I know something that in a national function we invest in to try and make sure we do understand because the setting of national policy that is abstract and doesn't reflect those realities is the problem.

And Tej, again, we've touched on kind of some of the environments that you've got sight over that are different for different reasons. What are the biggest challenges that that you come across?

Tej Gudka, NHS Arden and Greater East Midlands Commissioning Support Unit:
I think the changing landscape is really an ongoing challenge. For example, we're getting a lot of comments and asks around the use of AI and making sure that we are securing ourselves, but also leveraging some of the opportunities that AI can bring. So from some of the systems that we have, they may not have the controls we would necessarily want or we fully understand in terms of, for example, where data is being held. To allow or to warrant using certain parts of AI so they are the the changing landscape can be quite difficult to really navigate and give a clear answer as to whether something can or can't be used in in in a healthcare setting.

Mike Fell, NHS England: 
Yeah and AI is a really good example of that, right? This isn't binary. This is complex. This is there's layers of risk on it. How do you go about communicating that that kind of complexity in a way that allows, the theme of today is ‘Is it just a security problem?’ So presumably you want to somebody that's not a security professional to take the risk about whether to use AI. So how do you go about communicating that such that somebody that owns the risk in the business can make the right choice?

Tej Gudka, NHS Arden and Greater East Midlands Commissioning Support Unit:
I think it is helpful to give some guidance and policy around what you can and can't do. Share with them what the risks could be and what they need to look out for so things like where the data is being stored, who owns that data when you give it up, what benefits are you actually getting from using that AI tool and making sure they make a an overall judgement of whether they feel the risk is worth taking to use that to use that tool.

I don't think a central body or an IT department alone can make that sole judgement. It needs to, they need to sort of be given the tools to be able to make those decisions.

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
AI and the speed it's coming at us is in danger of becoming our next shadow IT where we sort of know it's being used, but we're not entirely clear about the structures and the guidelines that are being used to implement and run it. So it's something that I'm tackling at the moment in the organisation is bringing that it out of the shadows and setting up a subgroup dedicated to new products that are going to be using AI. So that we can establish those really clear policies and guidelines from the beginning and help steer the organisation to make good decisions because you're right, Tej, we can't control it at all, but we can definitely save them with guard rails policies and benefits of, you know, taking these things and really applying thorough processes to them.

Mark Logsdon, NHS England: 
I don't wish to sort of personally prolong the conversation too much about AI, but I’ll just say a couple of things. You know, some of the challenges that this technology presents are not necessarily new ones. For example, authentication, is this really me or is this some sort of chat bot type thing that's talking for me sort of stuff. it's just come into more recent focus with some of these newer technologies.

Similarly with things like data toxin, poisoning the data sets that some of these tools use. Again, not a new problem we've been struggling, tackling those sorts of problems. 

But the other thing I just really want to touch upon, we can and we do in NHS England for security reasons use the same technologies for good. You know we are using them to kind of help us defend, against attackers. So it's not a one way street where, you know only the only use of these scenes is a bad one in terms of security. It's just not the case. And I just want to put that that balance a little bit on it, if I may, but you know, coming back to the challenges, some of the challenges that we face in NHS England and I'm just going to reflect actually on a couple of conversations I've had this morning, today, one was about endpoint security.

We're still talking about endpoint security a lot, you know, and doing certain things in there and some of the endpoint security auditing and various bits and pieces like that. So we're not going out at that. But I've kind of spoken to my team only this last couple of weeks and I want to start focusing as much a bit more on the data. Doing more data security because this kind of comes to the second sort of conversation I've had is, the challenge around needing to share data because data is increasingly, we've got, as you I'm sure you all understand, that we've got one or two bits of data that’s we're looking after the need to share that data as opposed to need to know about or to secure that data.

There's often a challenge between the term finding that balance between the two for us is often challenging, because we are the custodians of that, that data, you know, we've got to treat it accordingly and make sure that those we're sharing it with are going to do likewise because it's very precious.

We uniquely, I think I'm rightly saying across the globe are in a unique position when it comes to that sort of level of healthcare data and what we can do with it and how we can leverage it for good, and all the research purposes and bits and pieces like that. And it's very valuable and we need to treat it accordingly. Finding that balance is a real challenge for us across the piece, and I think you know one of the things that I'm pushing looking for is say going forward is doing more in the world of data security and augmenting what we do in endpoint security. Not that I'm suggesting for a millisecond just for the avoidance of doubt that we kind of get rid of endpoint security either.

Mike Fell, NHS England: 
And it's interesting Mark and I second you that you know not wanting to prolong the conversation on artificial intelligence cause frankly there's many other podcasts available that will go into that more, but the frankly astounding capabilities that we've seen evolve through large language models, in particular generative AI in the last 12 months or so, is all built, it’s predicated on the fact that there are large data sets available and then technical capability and resource to analyse it and allow the rules to develop around it. I think you're absolutely right.

Sam, we're getting kind of towards the end of things, but I think there's a real different end of the spectrum here from those population scale national data sets that have such opportunity and then the reality of the front line and in many cases the kind of strategy at the moment is delivering capabilities that many people may sense already or expect to already exist. Getting the right information to the right people at the right time to give improved health outcomes. What is it like on the front line? Is the data available when it's needed or is it all sat nice, secure and protected and not accessible in the way that it should be?

Samantha Robinson, Yorkshire Ambulance Service NHS Trust:  
What has been an absolute game changer for the Yorkshire Ambulance Service is building in a GP Connect functionality into our electronic patient record and what that means for anyone who wouldn't understand is that we can the paramedics can access the patient record from the back of the ambulance or in the patient's house and it's an absolute game changer because they can see recent medicines, allergies. It is really excellent and that means that they can get the patient to the right place for the appropriate care, or even better, keep them at home if that's possible.

So that is fantastic. Now when it comes to sharing that data as they arrive into different emergency departments on the notes and the handovers, that's maybe not always so slick. And that's something that we need to work on. However, the direct patient benefit that we can see in those critical environments is absolutely fantastic and we can see and the paramedics really agree with that. But we need to get it right, so that that's really seamless at any point in the patient journey, and I think we've still got a way to go on that.

Mike Fell, NHS England: 
What finer note to end on really there than that patient journey that I think particularly you know representing an ambulance trust that the whole theme of today about different responsibilities, is just one bit, a real demonstration there of the handover from ambulance into a secondary care setting to do that with the differing responsibilities that have been there.
So brilliant, well thank you so much, that's all we've got time for today and we have covered a lot of ground. Hopefully it has become apparent just how much.

cyber security touches different areas, but also how this is not a lone wolf operation where some security professional, wearing whichever cliche cape, hoodie or fedora you choose to wish, will single handedly fix all of this. I think we can all be assured that this is a joint enterprise in which we need to engage all the way across our organisation up and down and across, if we are to achieve a genuinely cyber resilient health system.

So I'd just like to thank Tej, Sam and Mark for sharing those valuable insights today. I think you've really demonstrated different ways of building different positive security cultures and how important that is for protecting the NHS and the clinical outcomes that we deliver. Some practical examples and, who knows, even some stories and analogies to for others to use and abuse as they tell these stories that make people help make the right choices in this space.

So thank you. If you've enjoyed today's episode of The Cyber Sessions, please don't forget to subscribe and follow us wherever you get your podcasts.