NHS Wales. Dr Carwyn Lloyd-Jones

Transcription

1 NHS Wales Dr Carwyn Lloyd-Jones

2 NHS Wales Provision of National Health Services in Wales is devolved to Welsh Government Policy/Strategy in England does not apply in Wales Budget into Wales is calculated according to Barnett formula 10 legal entities 7 x Local Health Board

3 NHS Wales Provision of National Health Services in Wales is devolved to Welsh Government Policy/Strategy in England does not apply in Wales Budget into Wales is calculated according to Barnett formula 10 legal entities 7 x Local Health Board 3 x all-wales Trusts Ambulance, Velindre (Cancer) and Public Health NHS Wales does not exist as an entity Public don t care about organisational boundaries. They just see the NHS

4 NHS Wales 20 x large hospital sites Lots of community hospitals/clinics 440 GP practices, 600 sites 15 IT departments 90,000 users 65,000 computers 5,000 servers 1,000s of IOT 1 network Connections to N3, UAs, Welsh Gov, etc 1 Active Directory Domain (almost)

5 NHS Wales Informatics Service National IT + Information organisation for NHS Wales >600 staff, 5 offices Provide ~100 systems/services to NHS Wales orgs Clinical systems Pathology, Radiology, Cancer, etc Infrastructure services AD, DNS, Internet, , Skype, etc Security services Manage all IT in GP practices across Wales 10,000 PCs, 12,000 users Provide IT services to small NHS organisations 2,000 servers 2 data centres + smaller server rooms Hosted by Velindre NHS Trust

6 WannaCry

7 Cyber Security in NHS Wales - The strategic challenges Dr Carwyn Lloyd-Jones

8 Summary Who is responsible? Coordination across the UK GDPR and NIS-D Staffing Investment All-Wales initiatives under way

9 Who is responsible?

10 Quick recap. 20 x large hospital sites Lots of community hospitals/clinics 440 GP practices, 600 sites 15 IT departments 90,000 users 65,000 computers 5,000 servers 1,000s of IOT 1 network Connections to N3, UAs, Welsh Gov, etc 1 Active Directory Domain (almost)

11 Who is responsible? 10 x legal entities? Chief Execs / SIROs / Associate Director for IT? 15 x IT departments? NWIS? Welsh Government Cabinet Secretary (Minister)? Civil Service? NHS Digital? National Cyber Security Centre?

12 Who is responsible? Technically = 10 x legal entities These would be the people that get the fines from the ICO In practice, we work collaboratively across the various organisations The challenge is not unique to Cyber Security. Same challenges exists for measles outbreaks, major incidents, etc. Not always easy Different orgs have different risk appetites Different people have different views However it is a small community <15 significant IT departments Having capable and trusted leaders is critical

13 Operational Strategic Governance Cyber security is on the agenda at all levels of NHS Wales Welsh Government National Informatics Management Board SIRO peer group Associate Directors of Informatics Infrastructure Management Board Operational Security Services Management Board + others

14 Coordination across the UK Cyber attacks/threats have no boundaries NHS Wales network is connected to N3 network in England, which is connected to Scotland, Northern Ireland, Isle-of-man, etc. NWIS co-ordinate response in Wales, liaising with: CymruWARP Unitary Authorities

15 GDPR and NIS-D General Data Protection Regulations come into force in May 2018 Replaces the Data Protection Act (1998) More responsibilities Bigger fines Tighter timelines for reporting (72 hours) Fine for not reporting - 10 million Euros or 2 per cent of your global turnover Maximum fines of 20m or 4% of global turnover

16 NIS Directive Directive with the aim of increasing the security of Network and Information Systems (NIS) within the European Union (EU) Applies to Operators of Essential Services (OES) Water companies, Energy Companies, Oil/Gas distribution Transport Rail, Air, Maritime, Local Health Boards and NHS Trusts in Wales Comes into UK May 2018 Maximum fines of 20m or 4% of global turnover

17 Staffing General shortage of good IT staff in Wales NHS Salaries cannot compete with private sector But, lots of benefits pension, flexible working, etc Public Sector Bodies keep poaching candidates from each other Even bigger challenge for Cyber Security Very difficult to recruit suitably skilled candidates Looking at various options Working with Universities placements, projects, etc. Training other staff who want to work in Cyber Security Outsourcing certain elements to private sector

18 Investment Public sector purse is not full right now. However, WG and Cabinet Secretary have and are investing in Cyber Most goes on replacing old equipment

19 NHS Wales Cyber Security Initiatives Welsh Cyber Assurance Programme Including an external review of controls and capabilities Development of minimum standards for NHS Wales Strengthening our Cyber Security Incident Response Plans Lessons learnt from WannaCry Developing a cloud policy for NHS Wales Piloting (12,000 users!) with Office365 Security Monitoring SIEM Developing improved Security Awareness materials/processes Enhanced testing of backup/restores/dr processes Strengthening contractual arrangements with 3 rd party suppliers

20 Questions? Thank you for listening