NHS long-term cyber strategy sets out plan to ramp up workforce and ‘defend as one’
Government sets out vision for improving resilience of health and social care sector by the end of the decade
The government has published a long-term plan to improve the cybersecurity across the NHS by the end of this decade.
The policy document, titled A cyber resilient health and adult social care system in England: cyber security strategy to 2030, sets out a range of objectives for the coming years to support five central ‘pillars’.
The first of these is to “focus on the greatest risks and harms”, to help build a sector-wide understanding of threats.
Work in support of this ambition will include efforts to “create a common language for measuring and recording cyber risk, develop and improve national capabilities to maximise sharing of information, services and products across the sector, [and] gather data using national systems to build a system-wide threat picture, setting out proportionate mitigations for key risks and harms”, the strategy said.
In the coming years there will also be greater assessment of successful attacks and other cyber incidents with the intention “to better quantify patient and service user harm”.
The second pillar is to “defend as one” across the health and social care sector.
This will involve greater collaboration between local organisations on cyber issues, including increased data sharing, while “threat intelligence and detection across the NHS co-[will be] coordinated nationally for rapid response and alerting”.
- Some NHS bodies still in process of ‘reconnecting’ six months on from cyberattack on IT systems supplier
- NHS Digital cites transformation ‘turning point’ after £750m investment in FY22
- NHS to build £3m digital platform to manage national volunteer force
National health-service leaders will also “set clear expectations of leaders and boards on the organisational risk they are held accountable for and implications for the wider sector if those risks are realised”, according to the strategy.
The third pillar – “people and culture” – includes a pledge to “substantially increase the numbers and expertise of cyber professionals working at national, regional and local levels”. There will also be efforts to boost the security know-how of the wider workforce.
“This is a long-term challenge which will begin with hiring and training programmes, forging cyber career pathways and presenting health and social care as a rewarding place to pursue a career in cyber,” the strategy said. “National teams will be dedicating particular attention to bringing forward a comprehensive plan to deliver this. As well as professional training for a developing cyber workforce, we must offer relevant cyber basics training to the general health and social care workforce, as well as board and senior information risk owner-level training. Experts must make sure they are talking about cyber risk in terms that others can understand, especially bringing out the relevance in terms of patient and service user harm.”
The fourth pillar is to “build secure for the future”.
The plan acknowledges that the “the health and social care system was not built with cybersecurity in mind… [and] this has exacerbated many of the sector’s biggest current security vulnerabilities”.
By 2030, the goal is for NHS bodies to better understand emerging threats and how to combat them, as well as improving management of “critical supply chain risk”. There will also be efforts to ensure that all new services are made to be “secure by design”.
The final core strand of the strategy is to ensure “exemplary response and recovery” to all future cyber incidents that occur in the sector.
To support this, national and local cyber units will be asked to publish clear guidelines for reporting and responding to attacks, while a specialist central team will take on responsibility for leading the response to national incidents, as well as being deployed in certain cases to assist the recovery process for smaller attacks.
National NHS security functions will help prepare for the possibility of a major incident by conducting “’dry run’ exercising, [and] applying and developing plans for responding to and recovering from a cyberattack”.
The National Cyber Security Centre will also be brought in to work with national NHS entities and help “work with the NCSC to manage the technical response to a sector-wide attack”.
In his foreword to the strategy, Lord Markham, a junior minister in the Department of Health and Social Care, said that “the cybersecurity of our health and social care systems underwrites patient safety”.
“Working towards a cyber resilient health and social care sector is a significant challenge,” he added. “The sector is made up of complex, interdependent systems with different risks and needs. This strategy will shape a common purpose across health and social care against the most critical of those risks. It sets out an approach that will be applicable across health and social care systems including for adult social care, primary care, and our critical supply chain as well as for secondary care.
“Our vision and aims are ambitious and will require engagement at all levels of the health and social care sector. We must build and maintain this engagement in the shared understanding that cyber security is a foundational business need that we must prioritise if we are to ensure patient and service user safety.”
Share this page
CONTRIBUTIONS FROM READERS
Please login to post a comment or register for a free account.
Regulator applies new approach to the public sector by issuing recommendations rather than a £35,000 fine
Sensitive data was left unsecured in prison holding area, according to data watchdog
Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk
Role comes with a remit to work with current and former military personnel, as well as officials and commercial suppliers
Related Sponsored Articles
The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...