Coronavirus: GCHQ gets access to NHS data to beef up security

Health secretary Matt Hancock has used emergency powers under the NHS Act of 2006 to give GCHQ special dispensation to access data on the NHS’s cyber security and other IT systems in order to better protect the health service from cyber attack during the Covid-19 coronavirus pandemic.

Documents released by the government, which can be viewed online, were signed off by Karen Dooley, a senior civil service member at the Department for Health and Social Care, on 3 April 2020.

“During the emergency, the network and information systems held by or on behalf of the NHS in England or those bodies which provision public health services in England must be protected to ensure those systems continue to function to support the provision of services intended to address coronavirus and Covid-19,” the government said.

The directions mean that the NHS and other public health bodies must consent to the disclosure to the intelligence services of any information relating to the security of any network or IT system that they hold. This arrangement will expire automatically on 31 December 2020, unless amended.

A spokesperson for the National Cyber Security Centre (NCSC) confirmed to HSJ, which first reported the story, that the powers are intended to enable it to check the security of NHS systems as the lead technical authority for cyber security in the UK.

“This is part of our ongoing commitment to protect health services during the coronavirus pandemic,” an NCSC spokesperson told Computer Weekly. “We have no desire to receive any patient data, and the directions do not seek to authorise this.”

Although, at the time of writing, no major cyber attacks are known to have disrupted frontline NHS operations during the coronavirus pandemic, the health service is considered at extreme risk of attack by cyber criminals even though it has taken significant steps to improve its security though increased investment, and the creation of NHSX in 2019.

Earlier in April, Joyce Hakmeh, a senior research fellow, International Security Programme and co-editor of the Journal of Cyber Policy, wrote that the health service faced increased risk at this time for two main reasons.

Firstly, she said more non-clinical NHS staff with access to critical systems and patient health data were working remotely, putting them at higher risk of compromise in the same way as other remote workers.

Secondly, said Hakmeh, the radical and often ad hoc changes being implemented at the NHS meant that cyber security protocols are very likely not being properly implemented, or side-stepped altogether.

Meanwhile, C5 Capital, a London-based investment company focusing on cyber security, has ramped up the work of a previously announced initiative, dubbed The Cyber Alliance to Defend our Healthcare, with a number of new members signing up to the collective defence project, which is working to help protect frontline clinicians.

Much of its work has centred on using behavioural intelligence to detect threats to healthcare organisations, running network compromise assessments and system monitoring, and offering free-of-charge surge capacity to security operations centres (SOCs).

“The growing support for the alliance underlines the strong collaborative nature of the cyber security sector,” said C5 Capital founder Andre Pienaar.

“With many of the world’s leading cyber security experts now contributing their services and knowledge for free, we have a powerful united front to combat cyber threats to global health organisations when they are already under immense strain as a result of this terrible pandemic.”