Hancock grants GCHQ powers over NHS IT systems

Government Communications Headquarters now has the power to make the NHS disclose any information which relates to “the security” of the health service’s networks and information systems.

The move, authorised by Mr Hancock earlier this month, appears to be an attempt to strengthen the NHS’ cyber defences amid warnings from GCHQ of a growing trend in covid-19 themed cyber attacks.

According to a government document published last week, the purpose of the new directions is to support and maintain the security of any network and information system which is held by — or on behalf of — the NHS, including systems that support NHS services intended to address coronavirus.

The same directions also apply to public health bodies.

This grants GCHQ powers it did not have previously, under the Computer Misuse Act 1990.

A spokesman for the National Cyber Security Centre, which is part of GCHQ, said the directions were part of “our ongoing commitment to protect health services during the coronavirus pandemic.

“These directions give us consent to check the security of NHS IT systems,” he added.

The spokesman said the directions “do not seek to authorise” GCHQ to receive patient data, and he added: “We have no desire to receive any patient data.”

The directions will only apply until the end of 2020.

Last month, HSJ revealed the NHS was given a six-month extension to a deadline which requires organisations to complete cyber security checks.

The NCSC has previously warned that cyber criminals are attempting to use the covid-19 outbreak to their advantage by targeting people and organisations with malware and ransomware.

The agency also warned of an increase in hackers scanning for vulnerabilities in software and remote working tools, given the increase in people working from home during the pandemic.

Meanwhile, GCHQ has been advising NHSX on the creation of its new contact tracing app. 

The Department of Health and Social Care was approached for comment.