The Department for Health and Social Care (DHSC) has set out a five-point strategy to build cyber resilience in the health and care sector.
It said the strategy, to run until 2030, is aimed at ensuring services in the NHS and adult social care are better protected from cyber threats and sensitive information is held securely.
The first of the five points is to identify areas of the sector where disruption could cause the greatest harm to patients. Measures within this will include creating a common language for measuring and recording cyber risk, gathering data to build a system-wide threat picture, regularly reviewing standards to match changing risk profiles, and setting clear minimum standards for areas identified as risks.
Second is to take advantage of the scale of the sector in using national resources and expertise, with measures such as laying out clear roles and accountability, providing central support to cyber security initiatives, and providing a health technology assessment and remediation service.
The third point is in ensuring leaders are engaged with cyber specialists in the services, with a plan to embed the cyber profession in health and care and offer cyber training to the general workforce.
Supplier engagement
Fourth is to embed security into the framework of emerging technology, through engagement with critical suppliers, developing pathways to improve communications with them when responding to cyber events or vulnerabilities, embedding the Cyber Assessment Framework into the Data Security and Protection Toolkit, and setting out minimum expectations for IT lifecycle management.
Fifth is in supporting every health and care organisation to minimise the impact and recovery time of a cyber incident. Steps include ‘dry run’ exercises for plans to respond and recover from attacks, working with the National Cyber Security Centre to manage the technical response to a sector-wide attack, and deploying incident response teams to support local organisations when necessary.
A full implementation plan will be published in summer 2023. It will include detailed activities and defining metrics on resilience over the next two to three years, DHSC said.
In addition, national cyber security teams will work with local and regional health and care organisations to achieve the aims of the strategy. This will include strengthening the NHS England Cyber Security Operations Centre and carrying out a review of cyber security in adult social care.
Safer care
Health Minister Lord Markham said: “We’re harnessing the power of technology to deliver better, safer care to people across the country - but at the same time it’s crucial we’re also bolstering the defences of our health and care services.
“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future.
“This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”
DHSC said the health and social care sector has made good progress in recent years, using the increasing number of cyber defence and response tools it has at its disposal, and is now much better protected from attacks than it was at the time of the WannaCry cyber attack in 2017.