Representing estates and facilities professionals operating within the  



Government sets out next steps to counter cyber attack

The Department of Health and Social Care has published a document setting out the progress made in recent years to improve cyber security across the NHS and the next steps that Trusts will be expected to take. 


The Department has made it clear that organisations should not be operating IT systems that are no longer developed or updated, as these lack modern security controls and are not able to cope with large volumes of data and multiple users. 


Unsupported systems. In July 2017 NHS Digital published guidance to help local organisations to move off unsupported systems and to minimise the risk of unsupported systems where they are in use. In 2020, extended support for Windows 7 will end, so organisations need to continue to review and replace their systems. NHS Digital offers guides and services and entered into a Custom Support Agreement with Microsoft at the end of June 2017 which provides a number of free services to NHS organisations. These include: patching and support for Windows devices operating with Windows XP, Windows Server 2003 and Sequel server 2005; improved threat awareness through Microsoft’s Enterprise Threat Detection service; Windows 10 migration support, including health and care specific guidance for organisations to help in the pre-deployment, migration and operation of Windows 10; and Microsoft consultancy to help embed services, improve cyber-security resilience and prepare organisations to move to Windows 10.


Updated toolkit. The Information Governance Toolkit is an audit tool designed to help health and care organisations to assess their data security capability and capacity – compliance is mandatory for all organisations using the NHS contract in 2017/18. This Toolkit has been re-designed into a new, more user-friendly Data Security and Protection Toolkit (DSPT) that will be launched in private beta this month (February), with full roll-out from April.


The 2017/18 Data Security and Protection Requirements (DSPR) make clear that there must be a named senior executive responsible for data and cyber security in every health and care organisation. This requirement will be in the DSPT from April onwards. NHS Improvement will seek assurance of compliance with the DSPR from NHS Trusts in March and NHS England will do the same for commissioners. From April, that assurance will be available via the new toolkit.


Unannounced testing. The Care Quality Commission assesses whether NHS Trusts, GPs and adult social care providers have adequate leadership in data security. From 2018, the Care Quality Commission, working with NHS Digital, will test unannounced cyber security inspections in NHS Trusts to decide whether to roll these out to target organisations that repeatedly fail to follow basic cyber security practice.


Tighter controls. The General Data Protection Regulation (GDPR) and – for those organisations in scope – the Network and Information Systems Directive (NIS Directive) will come into force in May 2018. Together these will strengthen the cyber security and data protection regulatory regime for health and care organisations.


Staff awareness. The e-learning package developed and launched by NHS Digital in July 2017 will be reviewed by Health Education England and revised later in 2018 in response to feedback. This aims to help all NHS staff to understand their role in the safe and secure management of patient data. 


NHS England has commissioned the NHS Digital Academy to deliver a new learning programme to develop current and future healthcare digital leaders, drive professionalism and oversee transformational change.


New specialist centre. Services from CareCERT – the sector-specific national cyber support service - will be expanded into an NHS Digital Security Operations Centre to improve monitoring of security threats, provide guidance and expert response to health and care organisations and assure the public of the safety of their data. This will be operational from May 2018.


Download the full report here.


Read our expert’s analysis of why the healthcare industry needs to solve its cyber skills gap and fast here (and in the Jan/Feb 2018 issue of the HEFMA Pulse Magazine)