HSCIC launches cyber security service
- 3 September 2015
A new NHS cyber security service will be up and running by January 2016, the Health and Social Care Information Centre has announced.
CareCERT (the Care Computing Emergency Response Team) will be run by the HSCIC, with funding from the Cabinet Office National Cyber Security programme, and will be phased in from this autumn.
In a statement, the centre said CareCERT will “enhance cyber resilience across the health and social care system” by looking for emerging threats and advising healthcare organisations on what to do about them.
It will also provide “incident response expertise” for the management of cyber security incidents.
Rob Shaw, the HSCIC’s director of operations and assurance services, said: “CareCERT will be a valuable resource, providing best practice guidance to support organisations in keeping their information safe and secure.
“The service will monitor for system wide threats and will then make sure that appropriate actions are developed, supporting continued security across the sector.”
Speaking at the NHS Expo in Manchester today, Daniel Taylor, the HSCIC's cyber security programme head, said the new centre would be backed up by the creation of 'cyber champions'.
A pilot will involve 100 IT or security professionals, who will complete a qualification in cyber security and then work to embed best practice in their organisations. The HSCIC has already written to healthcare organisations asking for nominees to become champions.
The HSCIC announced in June 2014 that it was looking to establish a data security programme, after being asked by health secretary Jeremy Hunt to find ways to make sure that patient data is kept and handled securely across the health and social are system.
It set out a series of proposals for what a programme might cover, including certification for compliance with information governance requirements, building data security issues into the NHS inspection regime, and developing a national security strategy.
Many of these elements have been taken forward, with Hunt using a data breach by 56 Dean Street in Soho yesterday to emphasise the importance of new measures to rebuild and retain public confidence in the security and handling of health and social care data.
The Care Quality Commission will be asked to undertake an investigation into data security across the NHS, while Dame Fiona Caldicott will draw up new protocols against which NHS organisations can be inspected by the CQC from next April.
The HSCIC has been working with defence technology company QinetiQ to work out what cyber security risks it should address, and how this should be done.
Taylor stresset that the cyber security programme is about defending against potential future threats. He said the risk of security breaches will increase as access to medical data is extended, particularly to patients.
“We need to make sure we are ahead of the curve. This is not about what’s happening now, but what will that look like in two years' time. How do we defend against emerging threats to ensure we are not taken by surprise?”
He added that the HSCIC will issue cyber security alerts on a monthly, weekly and even daily basis, depending on what is necessary, and the alerts will include information on how organisations should deal with specific attacks.
The establishment of CareCERT also comes against a backdrop of wider government action to address cyber-security in UK public bodies, academic organisations, and business.
In its statement, the HSCIC said CareCERT will work with GovCertUK, which acts as the computer emergency response team for the UK government, and CERT-UK, which has a remit to work with industry to improve the UK’s cyber resilience.