• Information centre to discuss raft of cyber security proposals
  • Proposals include call for central contingency fund to deal with a system-wide security incident
  • There is “mounting concern” among experts about cyber attacks on patient data, report says

The Health and Social Care Information Centre will this week consider a raft of proposals to improve the NHS’s cyber security amid experts’ “mounting concern” about attacks on health service data.



The proposals include establishing a contingency fund to deal with any future “system-wide security incident”, and a new cyber security certification scheme for all NHS organisations, from hospitals to GP practices.

They also include plans for a new “cyber readiness technology fund” to support improvements by NHS organisations. The proposals are set out in a new report by the HSCIC’s information assurance and cyber security committee.

It comes as the NHS is expecting to learn imminently of the findings of two major reviews on patient data security standards: national data guardian Dame Fiona Caldicott’s report on safeguarding patient data; and the Care Quality Commission’s review of the NHS’s current handling of confidential patient information.

The HSCIC paper, the Information assurance and cyber security report 2015-16, is to be discussed at the information centre’s board meeting on Wednesday. It says the committee’s attention was drawn to “mounting concern amongst resilience practitioners on the cyber threats to health data faced both within the UK and globally”.

It adds: “Cyber security is recognised as a top level Tier 1 risk by government and established as one of the key risks which executive boards are now considering as core to their business strategy and management.”

Its proposals, many of which require fresh funding, include:

  • A “national incident fund”, which would be used “to establish a national call-off contract which can be utilised in the event of a system -wide cyber security incident affecting a large proportion of health and social care organisations”.
  • An “on-site assurance scheme for health organisations designed to assess ‘cyber-readiness’ [called] CareCERTified… Over the proposed four -year funding period, CareCERTified will aim to assess all GP practices, clinical commissioning groups, trusts, and arm’s length bodies in the NHS”.
  • A “cyber readiness technology fund – to provide capital and revenue streams [for NHS organisations]”.

The information centre’s cyber security review launched back in 2013, as set out by the body’s chair Kingsley Manning during an exclusive HSJ interview.

Developments to date include the establishment in September of the Care Computing Emergency Response Team, known as CareCERT, to help bodies affected by cyber crime.

The CQC was ordered “to review the effectiveness of current approaches to security by NHS organisations when it comes to handling confidential patient information,” by health secretary Jeremy Hunt in September 2015.

The review includes establishing how new standards set by Dame Fiona “can be assured through CQC inspections, NHS commissioning processes and any other potential mechanisms,” according to the information centre report.

Dame Fiona’s review is expected to set out “a new set of data security standards for health and social care [which] are likely to be published in spring 2016,” the report adds.

Other proposals in the HSCIC report include establishing:

  • A “coherent and consistent set of training/e-learning content which incorporates all aspects of information governance, data protection, information sharing, cyber security and data security”.
  • An “advanced network monitoring” system “to stop malicious traffic leaving the N3 network; blocking the loss of data including patient identifiable and sensitive information caused by Malware and other cyber -attack vectors from leaving the network and keeping information safe”.
  • “CareCERT React – to support local organisations to own and take appropriate and timely steps to minimise the impacts of cyber-attack”.
  • A new data security toolkit to support organisations to implement Dame Fiona’s recommendations.