NHS England to adopt new cyber security framework
- 3 September 2024
- NHS England and the National Data Guardian and have announced an updated cyber resilience framework for health and social care organisations
- The NHS Data Security and Protection Toolkit will transition to using the National Cyber Security Centre’s cyber assessment framework
- This aims to align health and care with cyber resilience standards across other sectors
An updated cyber resilience framework for health and social care organisations has been announced by the National Data Guardian (NDG) and NHS England.
The change to how organisations measure and self-report their data security capabilities is part of the Department of Health and Social Care’s ‘Cyber security strategy for health and social care: 2023 to 2030’, which aims to align health and care with cyber resilience standards across other sectors.
Starting from 2 September 2024, the NHS Data Security and Protection Toolkit (DSPT) will gradually transition from using the NDG’s 10 data security standards to the National Cyber Security Centre’s cyber assessment framework (CAF) as its underpinning assessment mechanism.
Dr Nicola Byrne, the NDG for health and adult social care in England, said: “I fully support this transition to the CAF.
“It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience”.
Dr Byrne added that she is committed to supporting NHSE in “maintaining and advancing the highest standards of data security across health and care”.
The 10 data security standards were introduced in the NDG’s 2016 review of data security, consent, and opt-outs, with the aim of protecting patient information by encouraging a focus on three key areas: people, process and technology.
A joint statement from the NDG and NHSE, published on 2 September 2024, said: “While these core principles remain fundamental within the CAF, the rapidly changing landscape of technology and cyber threats requires the more advanced approach the CAF provides.”
NHSE will notify organisations when it is their turn to transition and guide them through the process. NHS Digital has published CAF-aligned DSPT guidance.
The change follows several high profile cyber attacks which have caused disruption to NHS services.
Pathology provider Synnovis is rebuilding its IT systems, following a cyber attack in June 2024, which led to thousands of patient appointments and operations being postponed across south east London.
Meanwhile, NHS Dumfries and Galloway was the target of a cyber attack in March 2024, in which three terabytes of stolen patient data was published on the dark web by a ransomware group.
The Scottish health board warned almost 150,000 patients to assume that their personal data had likely been stolen and published online following the incident.
In August 2024, NHS National Services Scotland confirmed that a sub-contractor of a third-party supplier to several NHS Scotland boards had experienced a “cyber incident”, which led to mobile numbers of NHS staff being compromised.
The King’s Speech on 17 July 2024, outlined prime minister Keir Starmer’s plans to introduce a new Cyber Security and Resilience Bill, which will expand regulation to cover more digital services and supply chains.