Written by John Noble CBE, Advisory Board member
Reliance acsn Advisory Board member John Noble CBE has extensive experience of the work of NHS Digital in defending the nation’s treasured healthcare resources. In this three-part blog, he shares both the challenges and the advances, against the backdrop of the COVID-19 pandemic.
It was during a discussion with Martin Sutherland, the newly arrived CEO at Reliance acsn, and Robin Vann, Reliance’s Chief Solutions Officer, that the idea for this blog developed. I am very grateful to Martin and Robin for giving me the chance to write about NHS Digital, cyber and the response to COVID-19.
Why it matters to me
I come from a family of doctors, nurses and social workers, so from my point of view when it comes to focusing cyber defences where they matter most, the NHS is an urgent priority – and my career trajectory has brought me some precious opportunities both to support it, and to gain insight into the challenges that it still faces.
I first worked with the NHS as Director of Incident Management at the National Cyber Security Centre at the time of WannaCry incident. It was a fascinating but also very worrying experience. The attack – which was not targeted specifically at the NHS but nonetheless wreaked havoc within it – really highlighted the cyber risks that the NHS (and many other healthcare organisations) were carrying.
There was of course much criticism of the NHS over WannaCry. However, I think that it is important to remember how difficult it can be in healthcare to get the balance right between security, usability and cost. Every pound spent on cyber security is one less spent on patient care.
My understanding of these challenges grew further when I participated in the Department of Health’s subsequent review of the WannaCry incident. From that review, a Cyber Security Programme for the NHS was developed; below, and in the two further episodes of this blog, I explain more about NHS Digital’s work to deliver on that programme.
NHS Digital: a key technology partner
Following my work with the NCSC, I joined NHS Digital as a Non-Executive Director (NED), with specific responsibility for information assurance and cyber security.
NHS Digital is the information and technology partner for the NHS. It provides essential central services such as NHS mail, which has 1.3 million staff logging into their mail accounts each working day, with over 47 million daily transactions across the mail system. NHS Digital also delivers, amongst many other capabilities, the Electronic Prescription Service (EPS), through which two million paperless prescription items are processed each day. Such services are central to the work of the NHS , and clearly, protecting them is paramount.
The NHS Digital Board – who take a keen interest in security and information governance – want assurance that the organisation is doing everything possible to protect its systems and those of its partners across the NHS.
The way that the assurance question is addressed is through the work of my committee. I am joined by two other NHS Digital NEDs, plus experts from NCSC, NHSX (which oversees digital strategy), the Centre for the Protection of National Infrastructure (CPNI) and the Cabinet Office.
The support of a ‘critical friend’
We act as a ‘critical friend’ ensuring that the NHS Digital Senior Management Team has taken the right steps to better understand and counter the cyber risks ranged against it. One of the ways that we explore these issues is by using the NCSC’s Board-level questions.
This approach sets five critical cyber assurance questions for Board members to ask, plus two further questions that we have added, specifically around the availability of secure offline back-ups and security implications relating to people.
In the next instalments, I’ll be looking at how NHS Digital is focused on delivering critical new IT and data capabilities as well as higher levels of cyber security to help the NHS to defend what it and the nation holds most dear – and I’ll be exploring how the COVID-19 pandemic is placing it under extraordinary pressure that forces us, now more than ever, to temper reassurance with realism.
ADVISORY BOARD MEMBER
John Noble is an experienced senior leader with a strong track record for operational delivery and strategic business change, formerly the Director of Incident Management at the National Cyber Security Centre (NCSC), where he led on nearly 800 major cyber incidents; This work has given him unrivalled experience in dealing with and understanding the causes of cyber issues. Prior to that, John spent four years at the British Embassy in Washington, USA.
During more than 40 years of government service, John has built collaborative, diverse and high performing teams and has excelled at creating effective partnerships.. For his work in creating effective partnerships in the run up to the London Olympics, he was awarded a CBE in 2012.