- £21m allocated for major trauma sites to improve cyber-resilience
- Government accepts all of Dame Fiona Caldicott’s recommendations on data security
- Decision delayed on new scheme for patients to opt-out of sharing identifiable data
- Focus of cybersecurity in wake on WannaCry ransomware attack in May
The government has announced £21m in capital funding for cybersecurity at major trauma centres, as part of its long awaited response to Dame Fiona Caldicott’s third report into NHS data security.
There will also be new regulatory scrutiny of data security for trusts and harsher penalties for serious data breaches.
Dame Fiona’s report was published last July and the government has accepted all nine recommendations for improving data security.
- harsher penalties for “malicious or intentional data security breaches” from May 2018;
- Care Quality Commission inspections covering data security and information governance from September; and
- holding health and care chief executives “to account” for improving cybersecurity.
While the national data guardian’s recommendation on patient opt-outs were also accepted, the government has delayed deciding how a new national scheme to allow patients to opt out of sharing their identifiable data would work. This includes whether patients would have a separate option to opt out of sharing data for research.
An opt-out scheme would be in place by March 2018 but further work was needed on what shape that would take. Existing national patient opt-out schemes would be honoured until at least 2020, when it was hoped a new system would be fully in place.
The government response also confirmed the Conservative manifesto pledge to give the national data guardian a statutory footing.
In addition to £50m already announced for cybersecurity across the NHS to 2020, £21m of capital funding will be made available in 2017-18 to major trauma centres to address “infrastructure weaknesses” and improve cyber-resilience.
Health minister Lord O’Shaughnessy said the NHS needed to respond to the growing threat of cyberattacks.
“Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat,” he said.
Dame Fiona said she welcomed the government’s announcement. She said: “I believe that the implementation of my recommendations will be an important step in this process.”
In the wake on the WannaCry ransomware attack in May, which infected at least a fifth of NHS trusts, the focus of the response has also moved towards cybersecurity rather the patient consent or opt-outs. HSJ understands there was some last minute “beefing up” of the cybersecurity element of the response after the attack.
In September 2015, after persistent privacy concerns about the NHS patient data sharing scheme Care.data, health secretary Jeremy Hunt asked Dame Fiona to again review data security, consent and opt-outs in the NHS.
The subsequent report recommended wide ranging changes, including a national model for patients to opt out of sharing identifiable data; tougher sanctions for data breaches, including possible criminal sanctions; and more regulatory oversight of data security.
In the immediate aftermath of the report, the government shelved Care.data but said it remained “absolutely committed to realising the benefits of sharing information, as an essential part of improving outcomes for patients”.
A substantive response to the Caldicott report has been repeatedly delayed and HSJ understands this held up attempts for a renewed push to collect and share more patient data.
Several of Dame Fiona’s recommendations have already been informally adopted by parts of the NHS.
NHS Digital acted on some of the report’s recommendations last year, such as revamping the information governance tool kit, which was described by Dame Fiona as “tick box exercise”.
The CQC, which also published a report on data security in July last year, has been consulting on introducing data security requirements into its inspections.
NHS England has already introduced data security standards into its standard contract for 2017-18, which was another recommendation.
Commitments in the response include:
- Spending £21m to improve cyber resilience in trauma centres as an “urgent priority”.
- Requiring organisations to act on “critical” cyber security alerts from NHS Digital’s CareCERT team within 48 hours. This was one of the critical weakness following the WannaCry ransomware attack in May.
- In May 2018, legislation will be introduced to protect personal data and “ impose more severe penalties for data breaches and reckless or deliberate misuse of information.”
- Health and care organisations must report significant cyber incidents to NHS Digital’s CareCERT team “as soon as possible”.
- Support for NHS and social care organisations to move off or “actively manage” any supported systems by April 2018, such as Windows XP and old browsers.
- NHS Digital will withdraw support for any applications running on old IT platforms, with support pulled for Windows XP in 2018.
- All organisations will be required to implement Dame Fiona’s 10 data security standards, with “clear contractual obligations and regulator action” to enforce them.
- This summer, NHS Improvement will publish a “statement of requirements” on data security requiring NHS trust chief executives to respond with a “statement of resilience”.
- Each trust will required to designate a board member responsible for data and cyber security.
- Dy December 2018, people will be able to digitally monitor who accesses their summary care records.
- By March 2020, people will able to digitally track how their personal confidential data is collected by NHS Digital and used for purposes beyond direct care.
- People will be able to opt out of sharing their data beyond direct care, although it unclear what level of data they will be opt-out of sharing.
- A new information governance tool kit will be released by April 2018.