The NHS supply chain contains “absolutely massive” cybersecurity risks which have not “really been talked about”, an integrated care board and trust chair has warned.
Lena Samuels, who is chair of two London trusts and of Hampshire and Isle of Wight Integrated Care Board, said: “We’ve been talking internally about our own organisations but we haven’t really talked about the supply chain and the risks within that – and that is absolutely massive.”
Her comments come after one of the most disruptive cyber attacks on the NHS last week hit pathology systems at King’s College Hospital and Guy’s and St Thomas’ foundation trusts, and primary care across six boroughs, with major disruption to tests still ongoing. This was due to an attack on their pathology IT system, which is run by and the company Synnovis. Synnovis is majority owened by the European firm Synlab.
Ms Samuels, speaking at the NHS Confed Expo conference yesterday, said many NHS organisations still needed to question: “How do our risk registers capture what our supply chain resilience looks like in terms of cyber protection?”
She said NHS organisations also needed to be considering “who on my board is going to ask that question” and “whether they’re going to even think of asking that question”, adding: “There’s so much that we’ve got to think about.”
Ms Samuels said ICBs needed to develop their skills and knowledge of cybersecurity, though expertise also needed to be shared nationally, but she said it was “really difficult to recruit that sophisticated talent”.
She said: “[Cybersecurity] leadership has got to be embedded within an organisation, in its totality. If we’re going to really get supportive activities to prevent something but also react against it, that culture has to be in place all the way through the organisation.”
As well as the ICB Ms Samuels chairs neighbouring Barnet, Enfield and Haringey Mental Health Trust and Camden and Islington FT, which work as a group. She told the event it would be helpful to have cybersecurity expertise in non-executive board roles, as well as among executives.
In the same session at the event in Manchester, Cate McLaurin, a digital security expert at consultancy Public Digital, said NHS organisations were highly likely to be hit by cyberattacks, as “public sector bodies [are] being targeted specifically”.
Source: HSJ
Date: 17 June