NHS Wales Dr Carwyn Lloyd-Jones
NHS Wales Provision of National Health Services in Wales is devolved to Welsh Government Policy/Strategy in England does not apply in Wales Budget into Wales is calculated according to Barnett formula 10 legal entities 7 x Local Health Board
NHS Wales Provision of National Health Services in Wales is devolved to Welsh Government Policy/Strategy in England does not apply in Wales Budget into Wales is calculated according to Barnett formula 10 legal entities 7 x Local Health Board 3 x all-wales Trusts Ambulance, Velindre (Cancer) and Public Health NHS Wales does not exist as an entity Public don t care about organisational boundaries. They just see the NHS
NHS Wales 20 x large hospital sites Lots of community hospitals/clinics 440 GP practices, 600 sites 15 IT departments 90,000 users 65,000 computers 5,000 servers 1,000s of IOT 1 network Connections to N3, UAs, Welsh Gov, etc 1 Active Directory Domain (almost)
NHS Wales Informatics Service National IT + Information organisation for NHS Wales >600 staff, 5 offices Provide ~100 systems/services to NHS Wales orgs Clinical systems Pathology, Radiology, Cancer, etc Infrastructure services AD, DNS, Internet, Email, Skype, etc Security services Manage all IT in GP practices across Wales 10,000 PCs, 12,000 users Provide IT services to small NHS organisations 2,000 servers 2 data centres + smaller server rooms Hosted by Velindre NHS Trust
WannaCry
Cyber Security in NHS Wales - The strategic challenges Dr Carwyn Lloyd-Jones
Summary Who is responsible? Coordination across the UK GDPR and NIS-D Staffing Investment All-Wales initiatives under way
Who is responsible?
Quick recap. 20 x large hospital sites Lots of community hospitals/clinics 440 GP practices, 600 sites 15 IT departments 90,000 users 65,000 computers 5,000 servers 1,000s of IOT 1 network Connections to N3, UAs, Welsh Gov, etc 1 Active Directory Domain (almost)
Who is responsible? 10 x legal entities? Chief Execs / SIROs / Associate Director for IT? 15 x IT departments? NWIS? Welsh Government Cabinet Secretary (Minister)? Civil Service? NHS Digital? National Cyber Security Centre?
Who is responsible? Technically = 10 x legal entities These would be the people that get the fines from the ICO In practice, we work collaboratively across the various organisations The challenge is not unique to Cyber Security. Same challenges exists for measles outbreaks, major incidents, etc. Not always easy Different orgs have different risk appetites Different people have different views However it is a small community <15 significant IT departments Having capable and trusted leaders is critical
Operational Strategic Governance Cyber security is on the agenda at all levels of NHS Wales Welsh Government National Informatics Management Board SIRO peer group Associate Directors of Informatics Infrastructure Management Board Operational Security Services Management Board + others
Coordination across the UK Cyber attacks/threats have no boundaries NHS Wales network is connected to N3 network in England, which is connected to Scotland, Northern Ireland, Isle-of-man, etc. NWIS co-ordinate response in Wales, liaising with: CymruWARP Unitary Authorities
GDPR and NIS-D General Data Protection Regulations come into force in May 2018 Replaces the Data Protection Act (1998) More responsibilities Bigger fines Tighter timelines for reporting (72 hours) Fine for not reporting - 10 million Euros or 2 per cent of your global turnover Maximum fines of 20m or 4% of global turnover
NIS Directive Directive with the aim of increasing the security of Network and Information Systems (NIS) within the European Union (EU) Applies to Operators of Essential Services (OES) Water companies, Energy Companies, Oil/Gas distribution Transport Rail, Air, Maritime, Local Health Boards and NHS Trusts in Wales Comes into UK May 2018 Maximum fines of 20m or 4% of global turnover
Staffing General shortage of good IT staff in Wales NHS Salaries cannot compete with private sector But, lots of benefits pension, flexible working, etc Public Sector Bodies keep poaching candidates from each other Even bigger challenge for Cyber Security Very difficult to recruit suitably skilled candidates Looking at various options Working with Universities placements, projects, etc. Training other staff who want to work in Cyber Security Outsourcing certain elements to private sector
Investment Public sector purse is not full right now. However, WG and Cabinet Secretary have and are investing in Cyber Most goes on replacing old equipment
NHS Wales Cyber Security Initiatives Welsh Cyber Assurance Programme Including an external review of controls and capabilities Development of minimum standards for NHS Wales Strengthening our Cyber Security Incident Response Plans Lessons learnt from WannaCry Developing a cloud policy for NHS Wales Piloting (12,000 users!) with Office365 Security Monitoring SIEM Developing improved Security Awareness materials/processes Enhanced testing of backup/restores/dr processes Strengthening contractual arrangements with 3 rd party suppliers
Questions? Thank you for listening