• The CQC has said it does not need extra powers to ensure the NHS is better protected against cyber attacks
  • It confirmed it had ”not been approached” by government to do additional spot checks on trusts
  • CQC has already consulted on additions to its inspection regime in relation to information governance, but all plans were well underway before attack

The Care Quality Commission has told HSJ it does not need and is “not asking for” extended powers to ensure the NHS is better protected against cyber attacks.

A spokeswoman for the CQC also said it had “not been approached” by government to carry out additional checks on any of the trusts hit by cyber attacks last week.

In response to the ransomware attack, home secretary Amber Rudd said on Saturday that the “CQC does do cyber checks on NHS trusts and they will be advising NHS trusts to more to modernise their platforms”. There have also been reports suggesting the inspectorate will be given additional responsibilities or powers.

A CQC spokeswoman said: “We have not been approached by the government to do this but continue to monitor all trusts in relation to their information governance.”

A spokeswoman said no “additional powers” were needed. She confirmed that data safety issues, including “data security”, which covers cyber attack issues, are already considered though the regulator’s examination of trust governance. 

Its fundamental standard regulation 17 says a provider must have in place “systems and processes” that can “assess, monitor and mitigate any risks relating to the health, safety and welfare” and “securely maintain” records. The CQC can serve warning notices in relation to this regulation and prosecute for breaches.

The CQC also confirmed it had already consulted on introducing new “key lines of enquiry” on data security into its inspections, in proposals for its new approach published in December. It needs no approval from ministers or the Department of Health to adopt these changes, however, and is expected to make a final decision after next month’s general election.

The December consultation said: “While there is widespread commitment across providers to keep data secure, we know there are areas where more can be done to protect against potential risks. We are committed to strengthening our assessment framework in relation to information governance.”

Under parallel CQC and NHS Improvement proposals for overall assessment of providers’ leadership capability, the regulators have proposed reviewing “robust arrangements to ensure integrity and confidentiality” of data management systems.

The regulator closed both consultations in February 2017 but has yet to respond to them. It expects to do so next month, and to begin phasing the changes in immediately. A spokeswoman said that once they were “bedded in”, the CQC would review how effective these changes have been but could not ”predict” if it might seek further regulatory powers in the future as a result.

The CQC planned the changes to its inspection “key lines of enquiry” in response to a review it carried out on data safety in summer last year. The Safe data, safe care review was commissioned by the health secretary, and recommended the CQC “strengthen its existing lines of enquiry on information governance” and “make use of external audits or validation results in future assessments” to check on how safe a trust’s data is. The CQC already uses external audits as part of its inspection processes for issues such as safe staffing.