Cyber security on the frontline

Mike Fell, NHS England:
Hello and welcome back to The Cyber Sessions podcast. I'm Mike Fell, the Exec Director of Cyber Operations here at NHS England. And we are joined by more erudite guests on today's session. So just as washing your hands is routine in a clinical environment today, we're going to be translating that and working out how we can have that equivalent in making cyber part of our daily habit and that cyber hygiene that we all want in clinical settings.

So it is going to be a clinical focus too today and I'm really pleased to be joined by two excellent people with vast amounts of clinical experience and also decent cyber insight.

So firstly joined by Catherine Jackson, would you like to introduce yourself and a little bit about your role, Catherine?

Catherine Jackson, NHS England:
Hi, I'm Catherine Jackson. I am Clinical Informatics Manager for cyber operations here at NHS England. That is a very, very long title, but essentially I am a nurse by background and I work with our clinical lead to provide clinical insight and clinical safety input in the work of the cyber operations team.

Mike Fell, NHS England:
Thank you very much, Catherine. And is a relatively new role in the team and a really important one for me as a security professional to actually have that clinical input on the ground when we're dealing with incidents and know that we really have got an understanding of kind of impacts that decisions that we're making does have and also really pleased to be joined by Vicki Faint. So would you like to introduce yourself too?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
Of course. Hi. Thank you for having me. I'm Vicki Faint. I am another long title, the Lead Nurse for Digital Patient Safety within Leeds Teaching Hospitals Trust. So I'm a Clinical Safety Officer.

My focus really is that patient safety within I sit within the Informatics Department and trying to create that bridge between the digital world and the clinicians on the shop floor, linking it all back into patient safety and prior to taking on this role, I'm a nurse by background, worked in intensive care for a very long time, and have not been there for a while, but I hope that I can still bring to the bring to my role that experience of being on the front line and having how we can get it to work for us and with us. But yeah, thank you for having me, Mike.

Mike Fell, NHS England:
I'm very pleased to not least because it's the area that I'm not embarrassed to say that I have least experience in and really do rely on because, you know, through some of the other podcasts in this series and in the way that we work every single day we work really hard to make cyber represented as the patient safety issue that it is.

Because it's the right way of approaching it, but also because it's the right way, I think of getting the traction to make sure that it's recognised for the risk that it is.

So you know to that point about me as a security person not really knowing as much as I should about this, what would you say are the unique cyber risks? What makes a clinical environment different from some of the you know offices or other spaces that people in roles like mine might try and secure?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think for now, especially now in the NHS, so much of our life is on a digital system. So much of our important patient information that we need in a time critical fashion, we need to know it quickly. We need to have access to it quickly.

If that's gone because of a cyber incident that can have really serious and quite immediate repercussions on a patient if you are in something like an emergency situation.

You need to have that information quickly and available, and if it's not there we have become so reliant now on these systems that the delays to care the, just that people not actually remembering how to get to the information they need anymore because we're so used to having it at our fingertips.

It could be such a really, actually really difficult, difficult time for the staff trying to treat their patients blind almost because we don't even have the record of what drugs we gave to our patients the previous day, which again is very, very important, so it is just time critical really. And we're just so dependent now.

Mike Fell, NHS England:
Yeah, and I think it is that, that real kind of focus on availability that certainly from my experience here that does really differentiate it and an availability in a different way from other high availability kind of industries as well. Catherine, what would you say is it like what is it that makes it different for you in a clinical environment?

Catherine Jackson, NHS England:
I would agree with everything that Vicki said because the NHS rapidly over the last few years has had a very fast digital journey. You know when you're talking about having information at your fingertips, it's what you write your business cases to reflect when you're asking the board to give you however many thousands of pounds to produce your EPR, your electronic patient record, you often sell the benefits of information being there at a click of a button, information sharing. So you can quickly transfer information trust to trust.

And in a cyberattack that goes 'cause, if your system is taken down because either a threat actor, a bad person, has got in and turned your system off, or you've had to take it offline to contain that information, it means that, as Vicky said rightly so that that information isn't avail isn't available anymore. And I've worked with clinicians who's complained, who's forgotten how long it took to rifle through a paper set of notes and realise that your drug cards lost in pharmacy.

And they’ve complained when it's taken 6 seconds for an observation chart to load, whereas if there was a cyber attack and it was completely offline, it wouldn't be available. And how do you treat your patients and if the cyber attack has got in the threat actors manipulated your data, then how do you trust that the information that you're being presented with is correct? How do you plan and manage your care if you think if you can't find a blood result? My background is paediatric nursing. So if I think about not being able to see antibiotic levels. So your gentamicin levels. So if you give a baby too much, you could actually cause them deafness if you give them too little, then you're not treating your infection and how, as a clinician, do you manage kind of not having that information available and in a cyber attack it is a very real patient safety risk.

Mike Fell, NHS England:
Yes. 

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I mean an example would be I've been around the NHS long enough to remember when X-rays weren't immediately available. So for an example on intensive care is something that's you take the X-ray. We had to wait for the X-ray to come back, whereas now it's just there and I don't know that we remember that process. So if we had to go back to those old ways of retrieving our information, if I remember people having to run down and get paper reports from the labs and things like that and we just don't do that anymore.

And we're not set up to do that anymore. So actually, it's not just the amount of time it would take us to go to the place to get the information we need. Do we even have the processes in place to create that in piece of information on paper for somebody to run back with? And I think a lot of our more junior staff coming through now, they're very used to digital systems. And would they remember how to write a paper, drug chart or interpret a paper drug chart because they were complicated pieces of paper and you got to get used to them. And they were written in a certain manner.
But now it's digital and I don't know that we would remember how to do that safely.

Mike Fell, NHS England:
I think there's some really interesting points there about the risk management bit and Catherine your referenced the rifling through the notes, as the child of a doctor, I remember spending my school holidays as a young kid with my mum ringing me up and saying I need the pink notes you know X number on there and rifling through which is what we'd now probably refer to as an availability risk and that thing not going. So I think in the overall risk management piece there is kind of a narrative that isn't played out much about actually the consequences of that paper bit that weren't there.

But then, Vicki, I really recognise the point you raised around increasingly, the paper based processes are simply not there either because people haven't been trained in that manner and I do think certainly of what I've seen. there's an awful lot of processes that have been digitised by taking the manual process and making it digital, which actually means that actually in some big incidents we've had, there has been a paper process. But I think increasingly and to get the real productivity benefits, well, there isn't going to be that. It's going to be a true digital process where that just isn't there. Which is again I think something that other sectors have seen where they've completely digitalised and done the business at reengineering on it. But it's things that we really need to start thinking about now and what is resilience at a clinical level when there isn't a paper fall back process?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think as well a lot of communication is done digitally, so if you've lost your digital communication channel, if you refer to another clinician using your electronic health record, which some systems can, you've suddenly lost that or how do you get hold of that person to refer to, ask for help, to ask for an opinion? We've almost got to remember how we used to do it in the old days, which was making a phone call, but who has the phones, who has the numbers? It's you'd have to sort of put that process back in if you were subject to a cyber attack. So it's it would be very, very complicated.

Mike Fell, NHS England:
Yeah.

Catherine Jackson, NHS England:
It's the duplication that that work brings, because now the beauty is I can refer electronically as a clinician. And so if I was referring to Vicky, for example, she'd know it, but it would also automatically appear in the patient notes. Whereas if I pick up the phone or send an e-mail to Vicky to refer my patient, then I also need to do that and document it. So it's remembering that that we you talk about and I used to hate it as a digital clinician trying to explain to people that releasing times of care but you are duplicating that process by having to making sure you're writing it in the right, different places to make sure there's an accurate record.

Mike Fell, NHS England:
Good. So I think what we can do is kind of fast forward and the assumption that we do need to invest in cyber and have fault tolerance systems that are resilient and also hardened against attacks for all the reasons that we've that we've gone there.

But then when we're doing that, there's inevitably kind of people that are involved in these processes and the people are our biggest asset. I think I don't subscribe to the kind of pejorative human firewall. Humans are the root cause of 99% of cyber. I don't, I just don't subscribe to that narrative. I believe that the technology needs to be made in such a way that that it kind of has downstream failures that mean that people can't do that but we do need people to recognise that people interact with all this technology. So anybody that spent anytime on a on a ward, on a clinical setting knows the competing demands of all the different things that need to be done. So how, how have you gone about making awareness of cyber a priority against all those competing demands, not least in terms of the learning time and the time away from giving care? That is an absolute premium for them. What are the ways that work?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think it is very, very difficult because like you say Mike, they are so busy and there are so many demands on their time that if you're going to do things like introduce some training or run an effective comms campaign, you've really got to think about who are your target users, who are you trying to get hold of and what would be the best way of reaching them. And that is really hard because as a nurse, I never opened an e-mail when I was working because I was on the go for 12 hours looking after my patient. I didn't sit down and just check my emails. Think oh, that's very interesting. I'll learn about that.

You know, so it's how do you reach the right people and at the right time and also how do you get them to be interested in what you're telling them? And I think one of those is you've got to make it really relevant to people. You've got to make your message sort of short and sweet. And sort of grab their interest. I think you've just got to try as many ways as possible as well because not one way is going to is going to fit everybody in how you do that. So I think having a really good, effective communication's team in your trust and reaching out to them because they're the experts they know about this stuff and your training teams and getting your training teams involved and seeing what they know works is the way to go because they've got absolutely invaluable knowledge and of what we can do to get that message out there when we are so busy doing everything else at the same time.
 
Mike Fell, NHS England:
Yeah.

Catherine Jackson, NHS England:
And I think it's putting it in a language that as clinicians we understand because we are taught from day one of university, no matter, what branch of clinician you are, we'll talk about the evidence based practise.

So you don't just do something or not do something just because someone said you think about why, why is that relevant for me and my practise. And so it's making sure that you've kind of taken that into account and I think of like the Data Security and Protection Toolkit in the Cyber Assessment Framework that's out there that talk about making sure that organisations should ensure all staff are given cybersecurity training, but that's appropriate to their role, so I don't need to know the ins and outs as a clinician on the front line, you don't need to know the ins and outs of a cyber attack, but you need to know what you need to know and that make it relevant and make it real. Because it's not just about being a clinician on the front line, it's how we maintain our own data security in our own life, because although I said the NHS is on a digital journey, we are a digitally maturing population. The things that we in my lifetime when you went to Blockbuster video and rented your video and you went to a travel agents and rifle through the brochure to look at where you wanted to go, you now click on a link and you now download a film and you see a too good to be true, offer on your emails and book your holiday and it's kind of your sharing your data out on the Internet. And how can you do that safely and by learning the process to kind of live safely, surely then you can help translate that back into your work and your roles.

Mike Fell, NHS England:
Yeah, I think some really good points there and not least because they are very supportive of the direction that we take, which is I think that principle of it needs to be proportionate and you know obviously those working in finance departments that are paying invoices every day need to know that it's quite common for criminals to intercept emails and change the payment details that are on there. But that's probably less relevant for other people like porters whereas you know for other examples the other way around there. So cool, well, I think we will take that as endorsement of continuing with the outcome-based approach of the Cyber Assessment Framework and not trying to sheep dip everybody with the same level of training for that and trying to make it engaging and timely as well. 

Moving on from training a little bit, but still around that feature of the time and the competing pressures and the priorities of clinicians. In terms of engaging what have you seen in the different environments that you've worked, what what's landed well and it's probably more interesting to hear what do we do, i.e. what do security people do, those people that sit in ivory towers and kind of discharge their responsibilities by putting out loads of campaigns and things like that. What doesn't work as much as what does work I'm interested in.

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think the key is always to work with the people you're trying to bring along with you. You’ve got to do it with them and not to them, so it's very important to obviously I'm going to mention multi factor authentication because we've had to do that and that has been quite a journey. We have got everybody on to that, but it didn't work the same for everybody because initially was very much about where you use your phone to authenticate. But if I’m a nurse on a ward, I've not got my phone in my pocket.

Because that's my personal phone and so it's finding those ways to run a successful campaign, but also take the feedback from the clinicians and the staff about what's not working for them and then to demonstrate that we are listening and that we are trying to find ways around and trying to find ways to help them and give them channels to come back to us and say this isn't working for me, this is this is making my life so much harder because if people aren't listened to, they're not going to engage.

I think something that has worked, we do a lot of stuff with screensavers and it's not often that a computer is not in use, but a lovely catchy screen with, you know, just warn people about phishing or things like that. Just a short, snappy, caption, a message, picture it can say so much, so it's just about inserting it in the right places, but also listening to people.

Mike Fell, NHS England:
Yeah.

Catherine Jackson, NHS England:
I think making, like Vicky said before, it's making the information that we're sharing real and relevant, so you know, part of my job where I work is I go out and I discuss the clinical impacts of the cyber attack and how that can affect you. And that's often been quite engaging to anyone that I spoke to, but especially clinicians, because actually as you said, at the beginning that it's a patient safety incident. So if I share what the clinical impact was, that makes it real and as I was going out and doing it for the first time, I was looking at a recent incident in the public facing stats that were out there.

And there were missed appointments and cancelled surgeries, but some of them were with smaller numbers, but kind of how many organs were re diverted and not able to be used in this area. And actually I shared those public facing that anyone can find on the NHS England website. But I shared them and actually that hit home and made it real that you know people that had their organs rediverted not that the organs were never used. But that's people in that area that actually didn't get what they were hoping for and that makes it really real. And actually, if you were that surgeon that was planning to do a liver transplant that day and that couldn't go ahead, you'd be so annoyed. Not only that you'd planned it, but actually that you probably are the person that has to go tell that patient that they're not getting that thing today. And so it's how that impacts them and how that makes it real.

Mike Fell, NHS England:
Yeah.

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think that's so important those real stories, because people, they like to not to hear. But it's good to know, you know that could happen to me you know. So I'm there's been some very powerful sort of patient safety campaigns around other topics where actually the people that have been involved in the incident tell their story what happened and you feel like oh God that that's me that's somebody I know and then the impact of that and hearing what happened afterwards it really brings it home and it does make you stop and think about actually, what actions am I taking in my day-to-day life? Could I be the person who presses on the link, for example? It's so easy to do some of these emails are looking so realistic now.

And then what would that mean? And like you say, sharing the stories about how many people's appointments were delayed, organs had to go elsewhere. Like I said, to transplant teams, that is incredibly powerful stuff. And they will know what not only they've got to go and talk to the patient and explain it. But the impact on that patient they've been they're waiting for their surgery. They've been called in and just having to go and face them and say this is what's happened and then the reason behind that was because it was a cyber attack. It's you, link it all back together and it just makes it really, really powerful.

Mike Fell, NHS England:
Yeah. And I think you know it's not an easy topic to talk on, is it? And I think we are incredibly fortunate that there is scant, if any evidence of direct kind of mortality as a result of cyber attacks, even globally. And that's despite, you know, some countries facing a lot higher incidents of cyber attacks than that we do in the NHS. But as you say and you know it was a choice to make public the patient impact of a recent incident.

It was not an easy one, but it was the right one. And I think as you said here, there is a personal story behind every single one of those statistics. That you know as well as the personal impacts of that, but it also gives us the evidence base facts of the earlier point there about an evidence base to have a narrative and a story that's compelling in helping explain why the investment into you know individual training on cyber and all the way up to board level decisions that are made about the money.

Are really important on that. I've also got to pick up on the comment that was made about multi factor authentication. As not least, because it is probably the three words that feature most heavily in pretty much every talk that I give on this topic because frustratingly the application of multi factor authentication would likely have stopped every single one of the serious incidents that we've had in the NHS, certainly in the last 12 months.

But in doing that, you know, I do recognise exactly the point about, well, we seem to default to multi factor authentication being the use of an authenticator code or an SMS message on a on a mobile phone.

So I guess before we kind of move towards more on that, what are the other security things that security does on a in a clinical setting on a on a on a day-to-day basis, what are the security road humps in the road and that it reminds me of an analogy that one of my colleagues, Mark, always uses about brakes on cars and he says, you know, security is the brakes on cars, but you've got to remember that brakes are not put in cars to make them slow down. The only reason you have brakes in a car is to make the car safe to go faster. I don't think we're yet in that territory with all the security controls, but I'll use it as the link in to say what, go on, it's like room 101, what are the other security kind of frustrations that are just annoying when you're when you're on a ward.

Catherine Jackson, NHS England:
I think long passwords. And depending how your system is being implemented and designed, sometimes if you're made-up of multiple systems that have multiple passwords, annoyingly they don't all change on the same day.

So you could have a password for your pathology system, a password for your X-ray viewing system, a password for your prescribing system, and that might there might all be ever so slightly different, so it's learning where you are on that password cycle and they all have to be a particular amount of characters and a special character and a number and a capital letter. And it's making them easy for you to remember, but not too easy. It's getting that balance of them not being too long. That if I have to put that password in every time as a nurse, I administer a drug, you can imagine that if it's 12 characters, that is extremely and the amount of drugs that a nurse might administer, especially on a busy intensive care. You have to put that password in each time and it becomes very long and cumbersome. And I had a clinician that once was complaining to me about passwords and having to reset them and never remembering what they were. And she tongue in cheek, I think tongue in cheek told me that she'd set her password to ‘I hate passwords’ because she was so annoyed with where it is and it's kind of looking at different ways we can do it. So is there a way that you can have like a single sign on tap on tap off with your card that is secure and it has that multi factor of authentication in it, but it makes it almost invisible to a clinician and making it less disruptive to their role.

Mike Fell, NHS England:
But so you see, you've got my hook now, Catherine, I've thrown that out, and I've now I've caught the biggest fish that's going to pull me into the security river here. Because I share your frustrations. And as a technologist, everything you were saying there, just any IT admin that is listening just needs to like please, please, please act on this. Because everything that you say doesn't need to be the case. As you say. The single sign on solution that we should be using and yet we haven't, partly because we've just kind of digitalized manual solutions. There seems to be an endemic desire to rotate passwords for no reason as well. And for over five years now, the National Cybersecurity Centre has recommended that passwords do not need to be rotated unless there is any reason to believe that it's been compromised. And yet we seem to just do it. So my message to IT admins is blame me. Please just go make policy changes that do this because everybody that just puts like spring, autumn, I'm giving away the secrets here. 

Catherine Jackson, NHS England:
It's name with a 1 and an exclamation mark.

Mike Fell, NHS England:
But like, if you make people change password every three months, people just going to put the same thing with spring, autumn, winter and summer on it. And it doesn't need to be the way. And then the other bit out of that as well as you know we were talking about multifactor authentication and it always has to be an SMS or an authenticator and yet there's so many technical controls like 802.1 X that in clinical settings you can use the actual device on the network as one of those factors which then combine it with the thing it's got to make the world easier. And like the maths, I'm not very good at maths, but the savings quite apart from the security benefits have got to be immense. So please do all those right business cases. Catherine and I are going to jointly petition. Right, let's keep going because this is fun. What else is there? 

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I mean, I was going to go with passwords as well now, but I feel like I'm going to think of something else. But I mean, I think if they appeal to the obviously to the IT admin then please can we change them a bit less. But if we have forgotten them and this happened to me last week, give me an easy route to reset it please. Because if you do forget it and we will forget it because I've changed it and then in my head was the one that I've been using for the last three months and the life of me, I can't remember my password. Give me an easy option to reset it that I can do within a couple of minutes because if I've got to call the service desk, if I've got to get someone to call me back, just change it. That is such a waste of time for staff on the wards.

Mike Fell, NHS England:
Yeah. And again, you know, self-reflection here as the person that has petitioned at a national level to implement the new multifactor authentication policy that mandates it. In hindsight, I could have also pushed a lot harder for it to become a passwordless answer, because that's what MFA and its best deployments actually does, it takes passwords. We keep on saying they get phished, people forget them. It causes all sorts of - there's ways of taking these out of the solution out of the ecosystem with it so. 

Right, I think that's probably enough password bashing for now. Unless there's, there's any more on it, but who knows? There is halcyon days in the future in which we can have some of this stuff. The other one, the other one that I'm going to throw in there as I think I'll get a great answer to it, is shared logins. So shared logins would be you, the security person will obviously sit there and go why on earth are you doing that, but there is realities about why some of this stuff happens. So talking to the naive security bod, why is it that we get shared logins sometimes? Not that I'm saying there are. In this hypothetical really bad place where this happens. Of course not. Not anything you've seen yourself, but hypothetically why might we be in a shared logging situation?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think some of it is hangover from a long time ago that though that they actually exist in the first place and maybe we just haven't done that good housekeeping to go through and get rid of them and people remember them.

So you know if the whole team's using it, the whole team's going to remember the password now. Oh, yeah. It's so and so, you know, that's how you get in. So a lot of it is making sure that we've done that. We've, we've gone back and made sure that we've got rid of them. If we did have them, if we do have them. So I think it's it, like anything, it's always the easier path. People will take the easier path. And if that easier path is a shared login, they're all using, then they will take it absolutely.

Catherine Jackson, NHS England:
It's sometimes seen as quicker. So in my hypothetical world, if they've if everybody's logged on to the same system, you don't have to. Next person can come and use it without logging out, because you're all sharing the same login and it's seen as quicker. So if going back to MFA, if I have to log out and then Vicki logged in, then she'd need to put her password in and her coding. Whereas if the next person just could come and use it, that's probably why it's hangover because it's seen as quicker. Even if it is or it isn't, that's how it's perceived.

Mike Fell, NHS England:
Yeah. And again, I think it comes back to the designing things with a user in mind and I'm putting things there. So cool, right. So we're going to move fast forward a little bit now to in the rare event that things do go wrong and they genuinely are rare events for kind of destructive or system loss kind of cyber incidents to happen in in the NHS because of the hard work that's been done with investment certainly since the Wannacry incident. 

When we do do that, we’ve got kind of really important lessons from, from near misses and from incidents that that take place across the system. How do we play back that learning so that it's not lost? We talked about kind of telling stories earlier and that bit and bringing it to life using data from the impact of things. But how do we, are we good enough at playing back that learning in the near misses?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think we’ve got a lot of good work we can copy, as it were. So a lot of the patient safety work that already exists has a very good process in not only making sure that near misses are reported and in that way, it's very important to have a just no blame culture that people feel that they can go, actually, I nearly did this, but we need to share some learning. I need to make other people aware of the potential.

But that we play those stories back and that we take time to gather, that learning and then share that learning appropriately in a way that again going back to comms works for people. So real stories, what can we learn from incidents that have happened and what is the things that we could do to stop it happening again? And I think following that process that a lot of the patient safety stuff does follow would be really helpful with the cyber things as well because at the end of the day it's all back to patients. So what was the impact on the patients? Tell me a story. Who did it affect? And actually, how do we stop this in the future?

Catherine Jackson, NHS England:
I think learning from instance that we have had when you've gone back to when we've had to invoke business continuity procedures and like Vicky said right at the very beginning and we spoke about the beginning about often those are going back to paper. It's learning that do staff know how to do that.

Mike Fell, NHS England:
Yeah.

Catherine Jackson, NHS England:
You know, students are probably coming out of university having never been taught paper, and depending where the organisation is on their own personal digital journey is depending where they are, and if you've got a business continuity procedure when you wrote it as an ex lead digital nurse before I joined NHSE, I wrote business continuity plans and now knowing what I know would I write them in the same way would do they withstand what one thing we have learnt from incidents in cyber incidents is that the period of downtime is often a lot longer than what people initially expect and do those business continuity plans, are they resilient enough to kind stand that downtime and then when you take in the data back that disaster recovery, that data repatriation, how do you do that? How do you get that information there? Because depending how long your system's been down for is depending how long your warehouse full of paper that you're suddenly producing, how do you put that back on the system that the clinician and the patient chronology is back and the clinician knows that the information's there, so there's not, there's not that gap in information being available.

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think it's true. I think. Do we do we practise this? Do we do we take a real event but put it into our, you know, a little hypothetical, we'll go into a room, we'll play through the real event and we'll test our BCP against it, because actually this is what actually happened. And this is what we've written down. But would our BCP have been effective in that situation? And I think we will find that there is a lot of stuff we've missed and that actually we need to rewrite a lot of things. Like you said, we don't tend to think of how long it's going to be down for.

And do we actually consider that putting that data back into the system? Yes, we're going to make reams of paper, but in our BCP, is there a plan for, well, how do we get that back in the record and back in the record in the right place as well?

Catherine Jackson, NHS England:
And does your record allow you to put depending what kind of system you've procured? Does it allow you to scan that paper back in, or is it always going to be in an in a different place to where the majority of the information is, and also as the system's develop and grow, have you updated that business continuity plan because it could be that you've got reliance on one group of people that every different business continuity plan revolves on them. And actually if we had an entire hospital downtown, which is what an attack could result in. Is that too much work for one specific group of people to maintain realistically, so are they real? Are they like you say? Would they withstand the full effect that it could have bring?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think as well, are our BCPs only for one application, so we're writing a BCP for our eMED system and a different BCP for others. But if it was a really big cyber attack, what if it's all gone? Actually, how does that clash of BCPs work? Would that work together? So I think there's a lot to unpick and we've got a lot to learn from recent incidents and how we can improve our own processes.

Mike Fell, NHS England:
Yeah. And it's interesting. I have a lot of conversations about these themes about the clinical prioritisation which I've seen in other sectors that I've worked in about the business criticality of different services and the reality that there is only a finite number of people that can rebuild them should they need be rebuilding. The thing that I've seen differently in health is this real realisation in the last, I'd say in the last two years a real realisation that the plans do need to plan for outages of months, when the they're built in in hours and I do think I think exercising and testing we've touched on there Vicki mentioned it, I think it is part of the part of the answer here and I was really pleased that the NHS resilience chose Cyber as one of the seven themes that all hospitals have to test against over the next 7 years.

As I think it will be a really useful opportunity. As well, I think you know throughout the conversation today we've demonstrated that just culture that we want and what a balancing act that takes to bring real factual evidence based examples. Without falling into the trap of victim blaming and shaming. And I think that does take a a tightrope to be walked. Quite often, you know, certain organisations will be very proactive, like the British Library was in publishing, very frank things that allow everybody to learn from. But I recognise that's not appropriate for every organisation that has had a cyber attack.

But I do think in shaping it in the way that we have done today to talk about recent incidents and pseudonymizing anonymising, aggregating the findings from those to make the exercising realistic has got to be a good one and I think it also helps, hopefully, with some of the realism and making the training, the awareness and the deployment of security tooling land better in a clinical setting if the security professionals involved can demonstrate that we do have a greater level of clinical understanding so thank you.

I think I think at that point I've probably spoken enough as a you know as a security bod, given the spirit of what we're achieving today, which is really turning the table on the patient's safety bit so we're constantly kind of trying to teach clinicians about cyber and why MFA should be used and whatever the latest Fancy Bear, cosy panda, you know, TLS, solar winds, kind of jargon is around this when it really doesn't matter. But turning the tables, what can the security community learn from clinicians? There's loads of, both are, you know, life critical things. Both are, in some cases highly regulated, highly trained with really well mature developed processes to avoid harm and manage risks and that. So what are the things to leave me with that you can teach me?

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think it is, I mean, if it's hard 'cause, I don't know if I want to presume what you guys are already up to, but it's I do like the way in which that safety learning has really come on and that we really, really share the learning that we get together and we talk about, OK, this has happened, what we're going to do about it next time. It's like that looking forward, not looking back, not blaming people but having that OK right next time what we're going to do, how are we going to stop it and getting that getting everybody together to talk about it and I think the more that particularly people in the similar roles to myself and Catherine, where we bridge that clinical digital space, if we can bring our cyber teams together with our clinicians on the shop floor, so we can learn to understand each other's roles, I think that's going to be really powerful.

We just maybe think now how much I'd actually love to take my cyber team on a walk around the wards to see that those, you know what is going on out there, we've done that with other teams in our Informatics department and it's it really opens your eyes to what you've what you're dealing with.

Catherine Jackson, NHS England:
And I think we mentioned it earlier on, but it's learning from near misses as well as actual incidents, although actual instance have that powerful impact but as clinical teams the best practise is that we complete an incident form day text or whatever system that you use when you have found an incident. But also when you've stopped one happening and as IT teams, if you've got, if you've, if your security processes has withstood an attack, so no one's got in, it's how do you share that information with your neighbouring organisations, with your teams to kind of say, look, we had this process in place and it stopped this happening.

And I know some of that we can do as NHSE because if they're on boarded to our big systems, we can monitor and we can see what's happening. But there's also kind of the Cyber Associates Network that people can join and share that information with each other and kind of help learn from each other and learn when things have gone well as well as when things haven't gone so well and so then organisations can take it back to them and say, like we were saying about testing business continuity plans, they can take it back and say actually if that happened to me, to our organisation, would we withstand that? Have we got everything in place that could stop that instant happening?

Mike Fell, NHS England:
Yeah.
 
Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think you're right, Catherine. I look at a lot of day texts and most of them are marked as no harm or near miss, but we're in that, we're so used to filling them out because we know that it's important to flag up the near misses because usually that gives you an idea of your kind of moving towards something might happen in that area. If you're getting a lot of near misses in a certain area, maybe you need to take a little look a bit closer, and I think it just starts to flag up low level kind of stuff. And I think, I mean, I don't know how we would do that with this, with the cyber. Do we just start writing them into date texts and we make the form fit for that as well. You know it's you don't want to have too many ways of reporting things as well. You just need one way of doing it. One simple way.

Catherine Jackson, NHS England:
And I think as you said, Mike, that the incidents that we have, luckily there's been limited or no reported patients harm, but still those stats make you go, oh, that was a close one. What could have happened and kind of making that kind of sit real in your in in your own mind.

Mike Fell, NHS England:
I think viewing this as a safety management system kind of approach to thing leads you to say, well actually if we're genuine about cyber being a patient safety issue, why wouldn't it just be a category of date X of that ultimately that's what it is. I've worked in organisations that have had 10s of thousands of security incident reports every year because they've had that really healthy reporting culture indeed to the point once when the National Audit Office came and asked why we've got so many security incidents being reported when a similar organisation had got like 100th of that and we were able to flip that round and say I think you should be asking the other one why they've got so few, because actually it shows that we've got the right culture and I'd love to think that we can kind of extend that out to cyber across the NHS and really kind of extol that, that ability of learning from the near misses so that it's not just an intelligence led approach of us ingesting in human amounts of technical data and using that, but also ingesting in human amounts of human data about where, where things have nearly caused problems because of that so.

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think as well patient safety's really heavily into human factors and how do humans act? And I think that's another important thing to bring into all of this is that you can have the best system in the world without, you know, people will act in certain ways and it's understanding those triggers and what's going on in the wider environment with people so that our systems do work with them and don't become blockers and then just seen as, oh, it's too difficult, I’m not going to do that.

Mike Fell, NHS England:
Yeah, absolutely. In a in a different life and mind that studying geography that was defined as humans interaction with their environment and you could never view them in isolation. I think the same is true with technology, isn't it? It's purely, you know, humans interactions with the technology is the definition of digital solutions, isn't that and that so, OK, I'm going to start to wrap things up by showing that I was listening and saying it clearly what we're wanting to avoid in the cyber of the future is avoiding the never events. That kind of is the things that need to be avoided in in healthcare and I'll give you both the final word with what would be your one thing that you would like clinicians to take away that can help protect and put us in a world where we don't have any cyber never events in the NHS.

Catherine Jackson, NHS England:
Think for me it's the fact that cybersecurity is not just IT issue or, dare I say, problem. It's something that we all have a role in and I won't take credit for the quote I'm about to say because I was in a women in cyber meeting and this lady said something that really stuck with me that the cyber threat is a multidisciplinary a threat, therefore, so should our approach. And that really stuck with me because we talk about multidisciplinary teams as clinicians and actually do we factor the IT department and the cyber specialist is part of that multi disciplinary team and going back to what you said Mike, at the beginning about hand washing, you know if an IT person walked onto a ward or department, we would expect them to be bare below the elbow and wash their hands when they came on. So why wouldn't we expect that a clinician would take that same kind of cyber and data hygiene with when we're dealing with patient data in the systems that we implement.

Mike Fell, NHS England:
Right point, Catherine. I love it.

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
I think I've probably just keep mine really, really short and I'm going to give credit to one of my comms team who talked about the importance of short messages just to clinicians that cybersecurity is patient safety and therefore patient safety is everybody's business. So we can't, we can't think of it as something separate because it is so important to keep our patients safe.

Mike Fell, NHS England:
Amazing. Well, what better messages to finish on than those? It's been amazingly insightful for me today. I think I was probably most nervous in sharing this of all the podcasts that we've recorded so far in that I don't know enough and I could never know enough about the clinical impacts and the realities. So it's been amazingly kind of insightful for me, and hopefully it has for the listeners as well. So a huge thank you for sharing your insights today and joining me on this.

So for the listeners, please don't forget to subscribe and follow wherever you get your podcasts so that you don't miss out on future episodes of The Cyber Sessions.

And once again, a huge thank you to Victoria and Catherine for everything that they do in discharging health and care, but also in encouraging everybody to be as cybersecure as possible while doing so. Thank you.

Catherine Jackson, NHS England:
Thank you.

Victoria Faint, Leeds Teaching Hospitals NHS Trust:
Thank you.