NHS long-term cyber strategy sets out plan to ramp up workforce and ‘defend as one’

Written by Sam Trendall on 23 March 2023 in News

Government sets out vision for improving resilience of health and social care sector by the end of the decade

Credit: René/Pixabay

The government has published a long-term plan to improve the cybersecurity across the NHS by the end of this decade.

The policy document, titled A cyber resilient health and adult social care system in England: cyber security strategy to 2030, sets out a range of objectives for the coming years to support five central ‘pillars’.

The first of these is to “focus on the greatest risks and harms”, to help build a sector-wide understanding of threats.

Work in support of this ambition will include efforts to “create a common language for measuring and recording cyber risk, develop and improve national capabilities to maximise sharing of information, services and products across the sector, [and] gather data using national systems to build a system-wide threat picture, setting out proportionate mitigations for key risks and harms”, the strategy said.

In the coming years there will also be greater assessment of successful attacks and other cyber incidents with the intention “to better quantify patient and service user harm”.

The second pillar is to “defend as one” across the health and social care sector.

This will involve greater collaboration between local organisations on cyber issues, including increased data sharing, while “threat intelligence and detection across the NHS co-[will be] coordinated nationally for rapid response and alerting”.

Related content

National health-service leaders will also “set clear expectations of leaders and boards on the organisational risk they are held accountable for and implications for the wider sector if those risks are realised”, according to the strategy.

The third pillar – “people and culture” – includes a pledge to “substantially increase the numbers and expertise of cyber professionals working at national, regional and local levels”. There will also be efforts to boost the security know-how of the wider workforce.

“This is a long-term challenge which will begin with hiring and training programmes, forging cyber career pathways and presenting health and social care as a rewarding place to pursue a career in cyber,” the strategy said. “National teams will be dedicating particular attention to bringing forward a comprehensive plan to deliver this. As well as professional training for a developing cyber workforce, we must offer relevant cyber basics training to the general health and social care workforce, as well as board and senior information risk owner-level training. Experts must make sure they are talking about cyber risk in terms that others can understand, especially bringing out the relevance in terms of patient and service user harm.”

The fourth pillar is to “build secure for the future”.

The plan acknowledges that the “the health and social care system was not built with cybersecurity in mind… [and] this has exacerbated many of the sector’s biggest current security vulnerabilities”.

By 2030, the goal is for NHS bodies to better understand emerging threats and how to combat them, as well as improving management of “critical supply chain risk”. There will also be efforts to ensure that all new services are made to be “secure by design”.

The final core strand of the strategy is to ensure “exemplary response and recovery” to all future cyber incidents that occur in the sector.

To support this, national and local cyber units will be asked to publish clear guidelines for reporting and responding to attacks, while a specialist central team will take on responsibility for leading the response to national incidents, as well as being deployed in certain cases to assist the recovery process for smaller attacks.

National NHS security functions will help prepare for the possibility of a major incident by conducting “’dry run’ exercising, [and] applying and developing plans for responding to and recovering from a cyberattack”.

The National Cyber Security Centre will also be brought in to work with national NHS entities and help “work with the NCSC to manage the technical response to a sector-wide attack”.

In his foreword to the strategy, Lord Markham, a junior minister in the Department of Health and Social Care, said that “the cybersecurity of our health and social care systems underwrites patient safety”.

“Working towards a cyber resilient health and social care sector is a significant challenge,” he added. “The sector is made up of complex, interdependent systems with different risks and needs. This strategy will shape a common purpose across health and social care against the most critical of those risks. It sets out an approach that will be applicable across health and social care systems including for adult social care, primary care, and our critical supply chain as well as for secondary care.

“Our vision and aims are ambitious and will require engagement at all levels of the health and social care sector. We must build and maintain this engagement in the shared understanding that cyber security is a foundational business need that we must prioritise if we are to ensure patient and service user safety.”


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@publictechnology.net.

Share this page




Please login to post a comment or register for a free account.

Related Articles

ICO reprimands NHS Highland for disclosing identities of HIV patients
3 April 2023

Regulator applies new approach to the public sector by issuing recommendations rather than a £35,000 fine

MoJ reprimanded by ICO after ‘bags of confidential documents’ exposed for over two weeks
25 May 2023

Sensitive data was left unsecured in prison holding area, according to data watchdog

‘Extremely concerned and disappointed’ – more councils caught up in Capita breach
24 May 2023

Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk 

MoD seeks senior exec to boost ‘cyber awareness, behaviours and culture’ across defence sector
23 May 2023

Role comes with a remit to work with current and former military personnel, as well as officials and commercial suppliers

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...