Plans unveiled to strengthen NHS and social care IT systems against attack

Government announces £21m moneypot for major trauma centres to improve IT systems to mitigate cyber attacks

Security must be improved in order to mitigate the threat from cyber criminals

The Government has announced that investment in data and cyber security in the NHS will be boosted above £50m, including a new £21m capital fund for major trauma centres.

Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat

Outlined in Your Data: Better Security, Better Choice, Better Care, the cash is part of the Government’s response to the National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs; the public consultation on that review; and the Care Quality Commission’s review, Safe Data, Safe Care.

In the document, the Government accepts the recommendations of both reviews and announces that, to strengthen the safeguarding of information, the National Data Guardian’s position will be put on a statutory footing and stronger sanctions will be introduced by May 2018 to protect anonymised data, including severe penalties for negligent or deliberate re-identification of individuals.

It also announces plans to:

  • Give patients and the public more access to, and control over, their personal data
  • Build confidence in the importance of secure data to provide better individual care and treatment
  • Support research and planning across the health system

To mitigate the immediate risks with cyber security, NHS Digital is supporting local organisations by:

  • Broadcasting alerts about cyber threats
  • Providing a hotline for dealing with incidents
  • Sharing best practice across the health and care system
  • Carrying out on-site assessments
  • Work is underway in parallel to determine the fastest and most-cost-effective way to support the NHS to move from unsupported operating systems, including Windows XP.

    The NHS contract has been changed so that NHS organisations are formally required to adopt data security standards as recommended by the independent National Data Guardian for Health and Care, including security training for staff, annual reviews of processes, and extensive contingency plans to respond to threats to data security.

    Health Minister, Lord O’Shaughnessy, said: “The NHS has a long history of safeguarding confidential data, but with the growing threat of cyber attacks, including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS.

    The additional funding will be welcomed by NHS chief information officers at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security

    “Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.

    The government report was today welcomed by BCS, The Chartered Institute for IT, but it has warned that some trusts will find it hard to identify funding to improve security.

    David Evans, its policy director, said: “The focus on ensuring that through Care Quality Commission frameworks for organisations, and resources and services from NHS Digital, everyone understand the duties and broad options, is vital.

    “The additional funding will be welcomed by NHS chief information officers at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security.

    “One of the important aspects to consider as the details are developed is ensuring that responsibilities are appropriate and proportionate.

    “We need to make it clear and simple for NHS boards to discharge their duties, and ensure that NHS leaders know what their responsibilities are.

    However, the burden cannot solely be on their shoulders. They also need the proper professional support.

    The government plan is well founded, but needs to be developed further and in different directions if public trust is to be placed fully on a system that has shown itself to be dangerously vulnerable

    “The teams at NHS Digital and other centres of excellence will have tremendous expertise, but the scope of work across all of health and care in the UK means that a faR-broader community of IT professionals need to meet baseline standards.

    “At the end of the day, the general public need to have assurance that, not only that hospital policies are in order, but that there are capable and accountable cyber professionals who are assuring that measures are appropriate and being carried out.

    “The government plan is well founded, but needs to be developed further and in different directions if public trust is to be placed fully on a system that has shown itself to be dangerously vulnerable.

    “Just as patients rely on individual clinicians as well as hospital policies, the public needs to know that accountable and capable professionals are in the right places, particularly when a failing of an individual around cyber security can inflict far more damage than a negligent doctor.”

    Companies