Out-Law News 1 min. read
31 Oct 2017, 3:56 pm
The requirement has been set out by the Department of Health (DoH) and NHS England and comes after a ransomware attack earlier this year disrupted services at at least 34% of NHS trusts in England. The 'WannaCry' attack exploited vulnerabilities in software operated by many organisations around the world. A security update for that software had been available for a number of weeks prior to the attack.
The 2017/18 data security and protection requirements set out by the DoH and NHS England (13-page / 446KB PDF) are designed to implement recommendations made last year by national data guardian in England, Dame Fiona Caldicott on data security in the health and care sectors. The Department of Health confirmed earlier this summer hat it would accept Caldicott's recomemndations, which were published alongside a separate review carried out by the Care Quality Commission (CQC) into how data is safely and securely managed in the NHS.
Under the new requirements, staff at NHS bodies, their contractors and GP surgeries must complete "appropriate annual data security and protection training" and the organisations must also name a senior executive who is responsible for data and cybersecurity.
"Ideally this person will also be your Senior Information Risk Owner (SIRO), and where applicable a member of your organisation’s board," the guidance said.
The requirements also state that the organisations must "undertake an on-site cyber and data security assessment" when invited to do so by NHS Digital, and act on any recommendations made following the conclusion of that assessment.
A recent report by the National Audit Office (NAO) into the NHS' handling of the WannaCry attack found that NHS Digital had conducted an on-site cybersecurity assessment at 88 out of 236 trusts in England prior to the incident and that "none had passed". The report said, however, that "NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organisation".
The new data security and protection requirements also oblige NHS trusts to check that their IT suppliers have the relevant certifications for carrying out work in the NHS, including certification under the government's Cyber Essentials scheme.
The organisations are also required to have "a comprehensive business continuity plan … in place to respond to data and cyber security incidents" and have a procedure for staff to "report data security incidents and near misses" and for those incidents to be shared with the Care Computer Emergency Response Team (CareCERT), which issues advisories on handling cyber risks in the NHS.
A new data security and protection toolkit will apply to NHS organisations from April 2018.