An Updated Cyber Resilience Framework for Health and Social Care: A New Era of Data Security
In a significant move to bolster data security within the health and social care sectors, the National Data Guardian (NDG) and NHS England have announced an updated cyber resilience framework. This initiative is part of the Department of Health and Social Care’s ambitious ‘Cyber Security Strategy for Health and Social Care: 2023 to 2030’, which aims to align health and care organizations with cyber resilience standards seen in other sectors.
Transitioning to a New Framework
Starting from September 2, 2024, the NHS Data Security and Protection Toolkit (DSPT) will begin its transition from the NDG’s 10 data security standards to the National Cyber Security Centre’s Cyber Assessment Framework (CAF). This change marks a pivotal shift in how organizations measure and self-report their data security capabilities, moving towards a more comprehensive and current assessment mechanism.
Dr. Nicola Byrne, the NDG for health and adult social care in England, expressed her support for this transition, stating, “It represents a positive evolution, offering organizations a more current framework for evaluating and improving their data protection and cyber resilience.” Her commitment to maintaining and advancing the highest standards of data security across health and care is evident in this initiative.
The Importance of Data Security Standards
The original 10 data security standards were introduced in the NDG’s 2016 review of data security, consent, and opt-outs. These standards were designed to protect patient information by emphasizing three critical areas: people, process, and technology. However, as technology and cyber threats evolve, so too must the frameworks that govern data security.
A joint statement from the NDG and NHS England highlighted that while the core principles of the original standards remain fundamental, the rapidly changing landscape of technology and cyber threats necessitates a more advanced approach, which the CAF provides.
Guidance and Support for Organizations
As organizations prepare for this transition, NHS England will notify them when it is their turn to adopt the new framework and will provide guidance throughout the process. NHS Digital has also published CAF-aligned DSPT guidance to assist organizations in adapting to the new requirements.
Responding to Recent Cyber Threats
The urgency for this updated framework is underscored by several high-profile cyber attacks that have disrupted NHS services in recent months. For instance, pathology provider Synnovis faced a cyber attack in June 2024 that resulted in the postponement of thousands of patient appointments and operations across southeast London. Similarly, NHS Dumfries and Galloway was targeted in March 2024, leading to the publication of three terabytes of stolen patient data on the dark web by a ransomware group.
These incidents have highlighted the vulnerabilities within the health and social care sectors, prompting a reevaluation of existing security measures. In August 2024, NHS National Services Scotland confirmed that a subcontractor of a third-party supplier had experienced a cyber incident, compromising the mobile numbers of NHS staff.
Government Initiatives and Future Directions
In response to the growing threat landscape, Prime Minister Keir Starmer outlined plans in his King’s Speech on July 17, 2024, introducing a new Cyber Security and Resilience Bill. This legislation aims to expand regulation to cover more digital services and supply chains, further strengthening the UK’s cyber resilience.
Conclusion
The updated cyber resilience framework announced by the NDG and NHS England represents a crucial step towards enhancing data security in health and social care organizations. By transitioning to the National Cyber Security Centre’s Cyber Assessment Framework, these organizations will be better equipped to navigate the complexities of modern cyber threats. As the health sector continues to adapt to an evolving digital landscape, the commitment to maintaining high standards of data security will be paramount in safeguarding patient information and ensuring the integrity of health services.