Impact of cyber attacks
The impact of a cyber attack (which can take may forms, including phishing emails, malware and ransomware) can be far-reaching, resulting in financial loss, reputational damage, loss of data, and outages/disruption to systems and services. In recent years, there have been a number of cyber attacks on the health sector both in the UK and abroad, which have, in addition to these risks, also led to delays and cancellations.
As recognised by the Department of Health and Social Care in its recently published policy paper “A cyber resilient health and adult social care system in England: cyber security strategy to 2030”, protecting health and social care services“from the disruptive impact of a cyber attack…has never been more important”. In this article, we consider the steps which NHS organisations can take to minimise the risk of cyber attacks.
Measures to seek to avoid cyber attacks
NHS health and care organisations are expected to implement the National Data Guardian for health and social care’s Data Security Standards (NDG Standards) and to make use of the Data Security and Protection Toolkit (DSP Toolkit).
NDG Standards
There are 10 NDG Standards, most of which relate to data protection. However, 2 of these relate specifically to cyber security and require NHS organisations to:
- Respond to incidents: cyber attacks against services must be identified and resisted, and CareCERT (NHS Digital’s cyber security services) security advice responded to.
- IT protection: a strategy must be in place for protecting IT systems from cyber threats.
NHS Digital (which recently became part of NHS England and which helps to protect NHS and care organisations from cyber attacks) has prepared guides for each of the NDG Standards to help NHS and care organisations “understand expectations and support implementation of good data security and protection”. The guides relating to cyber security are available at Data Security Standard 6 – Responding to incidents – NHS Digital and Data Security Standard 9 – IT protection – NHS Digital.
In addition to the specific NDG Standards relating to cyber security, the NDG Standards also require health and care organisations to:
- have a named senior executive who is responsible for cyber security;
- have in place a comprehensive business continuity plan to respond to cyber security incidents;
- ensure that any supplier of critical IT systems that could impact on the delivery of care or that processes personal identifiable data has the appropriate certification, such as Cyber Essentials or Cyber Essentials Plus; and
- undertake an on-site cyber security assessment if invited to do so by NHS Digital.
DSP Toolkit
The DSP Toolkit is an online self-assessment tool which measures performance against the NDG Standards and is specifically tailored for different types and sizes of organisation. All organisations with access to NHS patient data and systems are required by NHS Digital to use the DSP Toolkit to provide assurance that they are practicing good data security.
The DSP Toolkit helps organisations to understand their cyber (as well as data) security risks. The Department of Health and Social Care (DHSC) expects NHS and social care organisations to meet the cyber security requirements set out in the DSP Toolkit for their particular type of organisation. Where an organisation does not meet the required standard, they are then required to submit an improvement plan to NHS Digital, which will then work with that organisation to address outstanding issues.
In addition to the general expectation to comply with the NDG Standards and make use of the DSP Toolkit, NHS providers are required to comply with the requirements of the NHS Standard Contract, which specifically requires compliance with the NDG Standards and satisfactory completion of the DSP Toolkit. This means that any providers into the NHS are contractually bound to comply with the NDG Standards and meet the requirements of the DSP Toolkit by way of their obligations under the NHS Standard Contract.
Additional requirements for Integrated Care Boards, NHS Trusts and Foundation Trusts
The Health and Care Act 2022 introduced an amendment to the Network Information Systems Regulations 2018 (NIS Regulations) to classify Integrated Care Boards (ICBs) as an Operator of Essential Service (OES). This classification creates new obligations for ICBs (which already existed for NHS Trusts and Foundation Trusts) to:
- take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies (Regulation 10.1);
- take appropriate and proportionate measures to prevent and minimise impact of incidents affecting the security of the network and information systems used for provision of an essential service, with a view to ensuring continuity of those services (Regulation 10.2); and
- notify its Competent Authority (being the Secretary of State for Health and Social Care, in practice by acting through DHSC and supported by NHS England) of qualifying incidents (Regulation 11). This regulation sets out in detail the information which such a notification must contain, and states that the notification must be made without undue delay and in any event no later than 72 hours after the OES becomes aware that the incident has occurred.
“Appropriate and proportionate” is used to allow flexibility for each OES within their relevant sector take action which is suitable and considerate to the needs and state of the sector, accounting for number of users, technological adoption and reliance of users to the network and systems in place in the essential service, as well as the criticality of the essential service itself. Regulation 10 of NIS Regulations provides some further context for the interpretation of what is “appropriate and proportionate” and confirms that the measures taken must have regard for the state of the art to ensure a level a security of network and information systems appropriate to the risks posed, and that an OES must also have regard to any relevant guidance by the Competent Authority when carrying out its obligations.
The NIS Regulations in part 5 grants Competent Authorities powers of enforcement for non-compliance by an OES with the requirements of the NIS Regulations, which includes the application of penalties of up to £17 million.
The obligations imposed under the NIS Regulations (as amended) have been largely incorporated into wider data and cybersecurity policies that are in place within the NHS, including the DSP Toolkit (for example in that the reporting tool within the DSP Toolkit will enable notification under regulation 11 of the NIS Regulations) and the NDG Standards, and therefore continued compliance with these, along with performance of their existing obligations under NHS Standard Contracts, should satisfy their obligations under the NIS Regulations.
The future picture
In recognisance of the ever-changing cyber security landscape, the Government is taking steps to better protect organisations in the United Kingdom against the risk of future cyber attack. In 2022, the Government consulted on the current state of cyber resilience and, as part of this consultation, suggested potential amendments to the NIS Regulations. Although any amendments will be of general, rather than health sector specific, application, these may change the obligations on all organisations which are designated an OES and would therefore impact the requirements upon ICBs. The outcome of this consultation exercise is awaited, but we anticipate that any changes which effect obligations on ICBs to be reflected in alterations to the DDG Standards and the DSP Toolkit.
Of specific application to health and social care organisations is the new Department of Health and Social Care Cyber Security Strategy, published on 22 March 2023. This sets out a vision for preventing, mitigating and recovering quickly from cyber incidents and confirms that health and social care organisations are responsible for their own cyber security, with support from Integrated Care Systems and direction and central support from national cyber security teams, creating a “unified and collaborative approach”.
The Strategy sets out 5 pillars that set out the overall approach within the sector to cyber security up to 2030, each with associated desired outcomes, route to achievement and responsibilities for organisations within the health and social care sector. In high level terms, the 5 pillars are:
- Focus on the greatest risks and harms: this involves considering the particular organisations, assets and services and national, regional and local levels that would cause especially significant harm if they were disrupted.
- Defend as one: this involves sharing learning, collating data and levering NHS capability, technologies and scale to improve cyber-resilience for the wider sector.
- People and culture: prioritising ensuring that staff are equipped with the skills and resources to address the cyber threat.
- Build secure for the future: this involves embracing the opportunity to redesign health and social care system structures and technologies to have security at their core.
- Exemplary response and recovery: this involves ensuring that every organisation is equipped to minimise the impact of a cyber incident and the time it takes to recover from it.
A national implementation plan to support the Strategy is expected this summer, which will set out detailed activities and metrics to build and measure resilience over the next 2-3 years. This plan will be updated from time to time to “remain responsive to the changing world around us”.
Progress under the 5 pillars will be monitored using the DSP Toolkit, which will be updated to reflect the Cyber Assessment Framework (which provides guidance for organisations responsible for vitally important services and activities) by 2025. NHS Digital has also separately indicated that it will in the second half of 2023 be reviewing changes to be made to the DSP Toolkit.
Additional resources
NHS Digital has a range of resources to help NHS and care organisations to protect against cyber attacks. These are available at Cyber and data security – NHS Digital.