Cyber security strategy aims to ‘defend as one’
A new cyber security strategy, published by the Department of Health this week, looks to ensure the health and care sector stays protected against changing cyber threats. Every day problems come in the form of phishing and other malicious emails, but there is also a growing threat from ransomware attacks, which are no longer just perpetrated by organised criminal groups. These attacks can cause the complete loss of clinical and administrative systems and involve data theft and extortion.
In 2017, the global WannaCry ransomware attack, while not specifically targeted at the UK health sector, disrupted at least 34% of trusts in England. It led to thousands of cancelled operations and appointments and an estimated cost of £20m during the outbreak and an additional £72m to restore data and systems.
The Department of Health and Social Care said that the sector was now better protected than in 2017, but faced challenges, particularly given the plans to use digital solutions to transform care delivery. Some of these challenges are common to other sectors, including workforce shortages and adapting to new technology. But others, such as the health service’s layered governance, were particular to the health and social care sector.
Health minister Lord Markham said that bolstering cyber defences was essential in parallel to taking advantage of technology to improve care. ‘This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future,’ he said. ‘This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.’
The new strategy covering the period up to 2030 is built around five pillars:
- focus on the greatest risks and harms
- defend as one
- people and culture
- build secure for the future
- exemplary response and culture
As part of pillar 2 – defend as one – the strategy calls for health and social care to be ‘better integrated in its overall approach’. This will involve stronger direction from national teams and centralised platforms and services to ‘avoid silos and duplicated efforts’. But in parallel, organisations will be allowed greater autonomy in deciding how to implement standards and services to meet their needs.
Integrated care systems are being asked to create system-wide cyber security strategies and to allocate funding to deliver them. They will be required to set up governance arrangements to review and align plans.
A full implementation plan is due to be published in the summer, setting out detailed activities and defining metrics to measure resilience.
Related content
The Institute’s annual costing conference provides the NHS with the latest developments and guidance in NHS costing.
The value masterclass shares examples of organisations and systems that have pursued a value-driven approach and the results they have achieved.