Cyber security plans outlined amid 'mounting concern' of attacks

The proposals include establishing a contingency fund to deal with any future “system-wide security incident”, and a new cyber security certification scheme for all NHS organisations, from hospitals to GP practices.

They also include plans for a new “cyber readiness technology fund” to support improvements by NHS organisations. The proposals are set out in a new report by the HSCIC’s information assurance and cyber security committee.

It comes as the NHS is expecting to learn imminently of the findings of two major reviews on patient data security standards: national data guardian Dame Fiona Caldicott’s report on safeguarding patient data; and the Care Quality Commission’s review of the NHS’s current handling of confidential patient information.

The HSCIC paper, the Information assurance and cyber security report 2015-16, is to be discussed at the information centre’s board meeting on Wednesday. It says the committee’s attention was drawn to “mounting concern amongst resilience practitioners on the cyber threats to health data faced both within the UK and globally”.

It adds: “Cyber security is recognised as a top level Tier 1 risk by government and established as one of the key risks which executive boards are now considering as core to their business strategy and management.”

Its proposals, many of which require fresh funding, include:

• A “national incident fund”, which would be used “to establish a national call-off contract which can be utilised in the event of a system -wide cyber security incident affecting a large proportion of health and social care organisations”.
• An “on-site assurance scheme for health organisations designed to assess ‘cyber-readiness’ [called] CareCERTified… Over the proposed four -year funding period, CareCERTified will aim to assess all GP practices, clinical commissioning groups, trusts, and arm’s length bodies in the NHS”.
• A “cyber readiness technology fund – to provide capital and revenue streams [for NHS organisations]”.

The information centre’s cyber security review launched back in 2013, as set out by the body’s chair Kingsley Manning during an exclusive HSJ interview.

Developments to date include the establishment in September of the Care Computing Emergency Response Team, known as CareCERT, to help bodies affected by cyber crime.

The CQC was ordered “to review the effectiveness of current approaches to security by NHS organisations when it comes to handling confidential patient information,” by health secretary Jeremy Hunt in September 2015.

The review includes establishing how new standards set by Dame Fiona “can be assured through CQC inspections, NHS commissioning processes and any other potential mechanisms,” according to the information centre report.

Dame Fiona’s review is expected to set out “a new set of data security standards for health and social care [which] are likely to be published in spring 2016,” the report adds.