Cyber Security Bill will prevent future attacks on NHS, says DSIT
- 2 October 2024
- New cyber security legislation will prevent attacks similar to the Synnovis ransomware attack, the Department of Science, Innovation and Technology said
- The Cyber Security and Resilience Bill will be introduced to Parliament in 2025
- It is intended to ensure critical infrastructure is secure and protect the supply chain
New legislation to improve UK cyber defences and protect public services will prevent attacks similar to the ransomware attack impacting London hospitals, according to the Department of Science, Innovation and Technology (DSIT).
The Cyber Security and Resilience Bill, which is due to be introduced to Parliament in 2025, was first announced in the King’s Speech on 17 July 2024.
In a statement published on 30 September 2024, the DSIT says: “This Bill will fill an immediate gap in our defences and prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.”
The attack on pathology provider Synnovis in June 2024 led to more than 10,000 outpatient appointments and 1,693 elective procedures being postponed across King’s College Hospital and Guy’s and St Thomas’ Hospital, as well as causing disruption to GP services in south east London.
“Recent cyber attacks affecting the NHS and Ministry of Defence show the impacts can be severe.
“Our laws have not kept pace with technological change so we need to take swift action to address vulnerabilities and protect our digital economy to deliver growth.
“The Bill will strengthen the UK’s cyber defences and ensure critical infrastructure and the digital services companies rely on are secure,” DSIT says.
It adds that the Bill will expand the remit of the existing regulation to protect more digital services and supply chains.
The Bill is also intended to put regulators “on a strong footing” to ensure essential cyber safety measures are being implemented and mandate increased incident reporting to give government better data on cyber attacks.
Cyber security expert Dr Saif Abed, founding partner and director of the AbedGraham Group, told Digital Health News: “It’s still too early to tell but ideally this bill will impose strict security requirements on digital and clinical suppliers to the NHS.
“It should include mandatory compliance audits and strengthen the regulator so that they can punish non-compliant suppliers.
“A great way to achieve this is to harmonise with the European Union’s NIS2 and Cyber Resilience Act directives and regulations that are coming into force.”
Speaking at the Health Excellence Through Technology conference on 24 September 2024, Beverley Bryant, strategic advisor in the frontline digitisation team at NHS England, said that the cyber attack on Synnovis might not have happened if two factor authentication had been in place.
Meanwhile, the National Data Guardian and NHS England announced the rollout of an updated cyber resilience framework for health and social care organisations in September 2024.