• Proposal based on EU regulations could impose harsh fines for failing to protect IT systems that keep “essential services” running
  • Fines could cover cyberattacks on NHS trusts or IT failures resulting from ageing hardware or power outages
  • Comes after regulations to protect identifiable health data following the WannaCry ransomware attack

The Department of Health could fine trusts up to £17m for failing to keep services running after a cyberattack or hardware failure, under new government proposals.

The Network and Information Systems Directive will come into force across the EU in May 2018 and requires all member states to take steps to ensure essential services are protected from cyberattacks or other IT failures.


The government has introduced new penalties for data breaches

It is distinct from the EU General Data Protection Regulation, which also comes into force in May 2018 and imposes similar fines for mishandling personal identifiable data.

The UK government published a consultation document this week outlining how the directive will be implemented, including across the NHS. The policies would remain in place after the country’s exit from the EU.

The proposal includes giving the DH, and possibly NHS Digital, the power to fine trusts up to 4 per cent of turnover or around £17m – whichever is greater – for “failing to implement effective cybersecurity measures”.

However, the document also said “financial penalties should only be levelled as a last resort where it is assessed appropriate risk mitigation measures were not in place without good reason”.

The proposal comes amid renewed scrutiny of cybersecurity in the NHS, after the 12 May WannaCry ransomware attack infected at least 47 trusts. The attack led to the cancellation of at least 15,000 appointments and operations, cancelled tests and ambulance diversions.

An HSJ investigation revealed nearly all of the trusts disrupted had not fully applied a Windows security update that would have protected their IT systems.

Barts Health Trust, which was the most heavily disrupted by WannaCry, blamed its reliance on Windows XP, an operating system with well known security vulnerabilities.

The EU directive has significant crossover with the government’s response to the third Caldicott review, published last month, which imposed new data security requirements on trusts and tough penalties for data breaches.

However, this is the first time it has been proposed that trusts be fined for failing to provide essential services after a cyberattack. It also requires trusts to protect themselves against non-malicious IT failures such as power losses or hardware faults.

Although the DH will have discretion as to how and when to apply penalties, HSJ understands NHS IT suppliers could also potentially face financial penalties if they are found to be at fault for an IT failure.

A pre-consultation impact assessment, also published this week, identified 243 NHS trusts that will be covered by the directive, making health the biggest cohort of organisations identified as “essential services” in the UK.

However, it determined that overall health organisations would face “limited additional costs” if the new rules were left “relatively flexible”.

The 2017-18 standard contract requires NHS organisations to follow the Caldicott review’s recommended 10 data security standards, which would cover many of the requirements of the directive.

“The actual impact of the directive will depend on its final implementation. A more comprehensive assessment of whether companies in the health sector are likely to be already compliant with NIS will be possible once security principles and guidelines have been finalised,” it said.

Consultation on the proposals closes on 30 September.