NHS Digital is to set up a white-hat hacker cyber security unit, following a stormy 2017 where the WannaCry ransomware attack affected 40 NHS England Trusts still running unpatched Windows XP systems.
The move was welcomed by privacy campaigners and the wider security industry.
"It’s a good idea – computer systems are a key part of medical device safety," said Phil Booth, director for independent medical privacy scrutiny group MedConfidential. "A CT scanner is useless without its controlling computer, and it is dangerous for it to be unprotected, as the NHS saw recently with the WannaCry outbreak."
The Cyber Defence Unit will be housed within NHS Digital’s Security Operations Centre (SOC), and a procurement contract is out for tender as of this week.
It will run a monitoring service, share guidance on threat intelligence and remediation in the health and care sector. The SOC will also provide on-site data security assessments for NHS organisations, as well as support for NHS organisations that might have been affected by a cyber incident.
NHS Digital is floating a figure of £20 million to attract a partner organisation, which will support the project. The specific work has not yet been set out, but it's safe to say it will span a range of capabilities, and will probably also cover penetration testing.
Most of the contributions from the partner organisation will be for knowledge-sharing, training and development, while the work at the coalface will be carried out in-house. But in emergencies and when capacity is low the SOC will be able to draw from a pool of cyber security experts from the partner organisation.
Procurement started this week and should be finished by May 2018, with new services likely to be introduced during the three to five year contract.
The procurement notice says the SOC will deliver "enhanced cyber security capability and services to internal and external customers across the health and care sector" plus running live operations for the NHS’ existing security emergency response team CareCERT.
MedConfidential's Phil Booth also welcomed NHS Digital's approach to the tender, and agreed that at this early stage, there's reason enough to be cautiously optimistic.
"The NHS is correct not to be following the alternate and more common, risky approach of outsourcing to the lowest bidder hoping they don’t keep a copy of everything, just in case it turns profitable to sell it on later," Booth said. "That outsourcing approach went fatally badly for hospital hygiene, and there is no reason to expect cyber-hygiene would work any better.
"Outsourcing some of the process parts to someone who has done it before sounds reasonable.
"The question is how the framework gets screwed up in practice, which is too early to tell. But it can be done safely – and even if they screw it up, it can be fixed."
Although only announced this week and trailing behind the WannaCry ransomware disaster, it was tipped to have been in the works before WannaCry struck.
A National Audit Office investigation earlier this year found that the Department for Health was warned about the risks of NHS cyber attacks a year in advance of the WannaCry outbreak, and although some efforts had been made to temper the impact, the end result was found to be lacking.
But Amyas Morse, head of the NAO, said in October that the Department and the NHS "need to get their act together to ensure the NHS is better protected against future attacks" – so perhaps this initiative could do just that.
Commenting, EMEA director at One Identity Andrew Clark said: "Already in the UK the NCSC is making an impact in defensive advice to business and government and will provide the expert guidance for security professionals hired by NHS Digital to be proactive.
"Overall, we are seeing an important shift in government strategy. It is encouraging to see these steps taking place that provide a stronger foundation for effective provision of essential services."
Security researcher Graham Cluley said that cyber security problems are tied to the wider under-funding of the NHS.
"I hope that the powers that be aren't thinking that just building a defence team will solve the problem though," he said. "At the heart of the NHS's IT security challenge is a lack of investment throughout the NHS. It's easy and relatively cheap to replace or update a PC, but far more costly to refresh expensive hospital equipment that doesn't have drivers for PCs running operating systems later than Windows XP."