A new Department of Health document sets out the steps all health and care bodies will be expected to take in 2017-18 to show that they are implementing the ten data security standards recommended by the National Data Guardian. For the 13-page document visit https://www.gov.uk/government/publications/data-security-and-protection-for-health-and-care-organisations.
It says ‘there must be a named senior executive to be responsible for data and cyber security’; all staff must complete appropriate annual data security and protection training; and on the upcoming General Data Protection Regulation (GDPR) which the UK like the rest of the European Union will be required to comply with from May 2018, NHS Digital will publish a checklist for organisations to bring in the Regulation. A ‘comprehensive business continuity plan’ must be in place to
respond to data and cyber security incidents. The sector should ensure that any supplier of IT systems (including other heath and care bodies) and the system(s) provided have the appropriate certification.
This arises from the computer virus WannaCry, which encrypts data on infected computers and demands a ransom payment, that hit the NHS among other worldwide in May. As a recent report by the National Audit Office found, the Department of Health was warned about the risks of cyber attacks on the NHS a year before WannaCry. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware.
Rob Bolton, Director, and GM, Western Europe, at Infoblox, says: “Unlike more traditional enterprises, many healthcare organisations fear that the specialised legacy equipment and software may not run on more modern releases. This has resulted in a slower shift towards more modern operating systems in some organisations, where there are concerns around potential disruption to ongoing patient care if these critical solutions were to be disrupted. However, as WannaCry demonstrated, vulnerable operating systems and software pose a significant threat to hospital services, with potentially devastating results. While there is a significant challenge and cost that must be managed with regards to such a project, the Department of Health is right to encourage NHS Trusts to bring updating outdated operating systems up the priority list to ensure they reduce the risk of being hit by a similar attack in the future.
“The first step for many NHS Trusts will be to identify these unsupported or out of compliance systems. Without accurate asset inventories of what’s on the network, organisations will face the challenge of not being able to patch that which they don’t know exists.”