Developing effective cyber security strategies for Integrated Care Systems

In March 2023, the Department for Health and Social Care (DHSC) published its Cyber Security Strategy which tasks Integrated Care Systems (ICS) with improving cyber resiliency of health and social care, and requires ICSs to produce their own cyber security strategy to drive security across systems¹. However, as of January 2024, most ICSs had not developed a cyber security strategy². From our experience, the exercise of developing a cyber security strategy provides a golden opportunity for ICS organisations to work together, build relationships and share best practice. The resultant strategy helps achieve What Good Looks Like success measures and empowers the ICS to build the necessary foundations to improve their cyber security posture. In this article, we outline the key benefits and share some of the lessons we have learnt from developing ICS cyber strategies.

Why should ICSs develop an ICS cyber security strategy?

A well-defined cyber security strategy can additionally bring the following three fundamental benefits to ICSs:

1. Improve patient outcomes by minimising the impact of cyber incidents. Developing an ICS cyber security strategy can provide a clear and more formalised approach to strengthening the security posture and resilience of information systems delivering patient care. By defining clear set of objectives and cross-community cyber security initiatives to strengthen cyber security controls, ICSs can reduce the impact of incidents and focus on the largest cyber threats to delivery of patient care.

2. Create return on investment by leveraging scale. Developing a single ICS strategy reduces the burden for ICS organisations to create their own cyber security programmes. And can make national cyber support more accessible for ICS organisations, such as the NHS Data Security Centre, and Cyber Security Operations Centre services. A cyber security strategy can also support ICSs in procuring IT and cyber security tools as one organisation. This can enable ICSs to leverage economies of scale to procure services, reduce procurement overheads, and prevent duplication of licensing contracts, to create greater value for money.

3. Reduce cyber risk through informed decision making. A cyber security strategy can lay foundations for an ICS to unify its approach to cyber security risk management, identify and assess cyber risk across the ICS, and gain an understanding of overall risk posture. This empowers leadership to make informed decisions regarding risk reduction initiatives, resource allocation and investment into security tools and services, thereby maximising effectiveness of risk reduction activities.

What lessons have we learnt from helping ICSs write cyber security strategies?
 

From supporting ICSs in writing strategies in the past, we have identified three lessons that should be considered when creating cyber security strategies.

1. It’s as much about the journey as the destination. Strategies developed in isolation, with limited stakeholder involvement or without consideration of clinical impact tend to carry little weight and rapidly become shelfware. A strategy must be written collaboratively and bring many diverse viewpoints together throughout the process, including those of clinical, IT and security staff to meet the objectives of the involved organisations. We have found that a great way to facilitate involvement is to hold group workshops to discuss challenges, opportunities, and ways the ICS can achieve these. By working through the challenges together, the ICS can obtain the necessary buy-in to address the largest areas of concern, collaboratively prioritising activities for driving improvements in cyber security and resiliency across the ICS. 

2. Diverse organisations bring complexity, but also opportunity. Each component organisation of an ICS can greatly vary in size, purpose, and IT capability. Therefore, when developing an ICS strategy, it is imperative to begin by obtaining a clear understanding of the current state of cyber security across the area. Ask questions such as: What are the largest challenges faced by organisations in cyber security? What good practices already work well, and how can they be shared across the ICS? Answering these questions establishes a foundation, which will allow an ICS to build a strategy that will focus on closing the widest gaps in cyber maturity, utilising resources and best practice already available. Diversity in approach and thinking should be harnessed and used as an advantage in developing a comprehensive strategy which brings together experiences and capabilities.

3. A common approach to risk management is key. It can be difficult for an ICS cyber security strategy to agree on a risk management framework or system to use when component ICS organisations employ different language, frameworks, processes and tools. This poses an obstacle in obtaining an ICS view of cyber security risk. Ideally, risk management needs to be driven by the Integrated Care Boards (ICB) for ICSs, setting out risk management requirements or frameworks for ICS organisations to follow. This, however, may not always be achievable. Alternatively, ICSs could identify and agree a cyber-specific risk assessment approach that works for all ICS organisations, or devise a conversion process, which collates multiple different risk identification, management, and treatment inputs. Regardless of the solution, it is an important consideration which needs to be tackled when devising a cyber security strategy.

Wrap up

Establishing an ICS cyber security strategy is an important step to booster the security of each component organisation, and better protect the patients which an ICS serves from the damage of cyber security incidents. Writing a cyber security strategy at an ICS level can be an intimidating task; however, the process of writing a unified strategy, is the beginning of developing a closer, more integrated, more secure and resilient ICS. If your organisation would like support in writing cyber security strategies in health and social care, please reach out to the contacts below.

_________________________________________________________

References 

¹https://www.gov.uk/government/publications/cyber-security-strategy-for-health-and-social-care-2023-to-2030/a-cyber-resilient-health-and-adult-social-care-system-in-england-cyber-security-strategy-to-2030

²https://www.hsj.co.uk/technology-and-innovation/revealed-the-27-icss-without-a-plan-to-combat-cyber-attacks/7036395.article#:~:text=At%20least%20half%20of%20all,the%20organisations%20in%20their%20area.