The NHS has published the 2017/18 Data Security and Protection Requirements. They are a direct response to recent incidents especially the WannaCry ransomware attack. They also address the ten data security standards recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care.
All health and care organisations must take these steps before April 2018. This is when the new assurance framework comes into force. It covers both public and private organisations delivering health and care services. What is interesting is the Care Quality Commission has been charged with managing the process. Part of that process is to make sure that data security is part of any and all inspections.
This raises several questions. The first is where will organisations get the skills and expertise required to ensure data is kept secure? Many care homes already claim they are barely breaking even. Bringing in costly cyber and data security experts will be a significant challenge for them. The same question around expertise and skills can be asked of the CQC. It also lacks funding and the relevant experts in this area.
It is also not clear what penalties are likely to be levied on those organisations who do not comply. Interestingly the document gives health and care providers an opt out. Provided they are not delivering NHS care through the NHS Standard Contract they are exempt from data security obligations. This will be seen as a major fudge and one that the NHS needs to close.
One solution for private sector companies providing health and care services might be to give them access to the G-Cloud. This would allow them to acquire services at the same rate as public sector bodies. For those working through the NHS Standard Contract it would seem reasonable to provide G-Cloud support. For others, access to lower cost services through G-Cloud would seem a reasonable step, especially if it removed the exemption the NHS has provided.
What are the 2017/18 data security requirements?
This has been split into multiple parts depending on who it is aimed at. There are three main sets of requirements, people, processes, technology. They cover:
- People: This sets out clearly the need for a Senior Information Risk Officer. Interestingly it calls for them to be a board level member where applicable. This is a sensible move that private companies need to follow. It also required them to provide the right level of training in data security and protection. Unfortunately it makes these an annual rather than an ongoing set of training. There are also two more serious requirements covering the Information Governance Toolkit v14.1 and the GDPR checklist. The latter is to be published by NHS Digital at a later date.
- Processes: There is a restatement and tightening up of how CareCERT advisories are dealt with. It is now a requirement that any High Severity CareCERT advisory is acted on within 48 hours. As reliance on IT grows, organisations must also prove they have continuity planning. This will prevent the cancellations of treatment seen in the aftermath of WannaCry. Staff are also required to report any and all incidents to the organisation and to CareCERT.
- Technology: There is now clear guidance around what to do with unsupported systems. Many healthcare organisations are running old versions of software. These are no longer supported by vendors and therefore prone to attack by hackers. They are also required to: “Have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems.” On top of this there is an obligation to undertake on-site cyber and data security assessments and act on the findings. Suppliers must also meet new stricter certifications.
How will the NHS measure progress from 2018/19?
One of the interesting parts of this document is that it is taking a long view on the issue. It has set out how organisations can measure progress in implementing the ten data security standards and compliance with data protection legislation. There will be a new Data Security and Protection Toolkit from April 2018 and this is already being tested across a number of different health and care organisations.
The document contains several references to the NCSC cyber security advice. This makes sense and implies that there is a move to standardise how data and cyber security is managed across the NHS. It also suggests that there is a concerted move to ensure best practice is applied across both public and private sector organisations.
The document sets out five key dates that all organisations to take note of. Each of these will require them to take action. They are:
- November 2017: The replacement for the Information Governance Toolkit, the new Data Security and Protection Toolkit will be piloted with users.
- February 2018: All organisations will have access to the new Data Security and Protection Toolkit from January 2018 to familiarise themselves with the approach to measuring implementation and compliance and consider how they might apply to their organisation from April 2018.
- April 2018: Further guidance will be published to support organisations to use the new Data Security and Protection Toolkit.
- April 2018: All organisations will now be required to complete the new Data Security and Protection Toolkit.
- May 2018: The EU General Data Protection Regulation, and Security of Network and Information Systems Directive, come into force. This will increase the legislative data security and protection requirements on Health and Care organisations
What does this mean?
This is a good response to what has been a torrid period for the NHS. It doesn’t matter what caused its problems, there is finally a sensible and coherent plan in place to improve data and cyber security. The two big issues here are cost and legacy solutions. To do all of this will require expertise and in the security field, good expertise does not come cheap. Replacing obsolete systems will also add a cost burden to many budgets already under pressure. Is this at the risk of future investment?
According to Rob Bolton, Director, and GM, Western Europe, at Infoblox: “Unlike more traditional enterprises, many healthcare organisations fear that the specialised legacy equipment and software may not run on more modern releases. This has resulted in a slower shift towards more modern operating systems in some organisations, where there are concerns around potential disruption to ongoing patient care if these critical solutions were to be disrupted.”
Bolton goes on to say: “The first step for many NHS Trusts will be to identify these unsupported or out of compliance systems. Without accurate asset inventories of what’s on the network, organisations will face the challenge of not being able to patch that which they don’t know exists.”
Public bodies will be able to draw on G-Cloud to get help with these issues. The NHS should look at how it can extend G-Cloud support to those private sector organisations that work in the health and care arena. This is a complex problem and one that is harder to fix than it might seem. There are contracts and other issues in place and the NHS has to be careful about how it imposes costs on its suppliers. However, if the NHS does not do this then it runs the risk of this becoming another expensive failure.