22 Mar 2023
by Alex Lawrence

Government sets out strategy to protect NHS from cyber attacks

Read techUK's summary of the new government paper 'A cyber resilient health and adult social care system in England: cyber security strategy to 2030'.

The Government has released a plan [22 March] to promote cyber resilience across health and care by 2030, outlining 5 key ways to build this resilience across DHSC, NHS organisations, local authorities, independent social care providers, and suppliers:

  1. Focus on the greatest risk: identifying where in the sector disruption would cause the greatest harm e.g. critical services being unable to function
  2. Defend as one: bringing the sector together to enable it to take advantage of national resources
  3. People and culture: improving on the current culture to ensure the cyber workforce grows and the workforce in general is upskilled
  4. Build secure for the future: embedding security into the framework of emerging technology
  5. Exemplary response and recovery: supporting every health and care organisation to minimise the impact and recovery time of a cyber incident

The Strategy makes clear that cyber security is a key aspect of improving patient care and the safety of frontline staff, as well as building trust and in turn, fostering innovation.

This plan will ensure health and care organisations are set up to meet the challenges of the future – identifying vulnerable areas and better utilising resource and expertise. The Strategy highlights that cyber security within health and care is decentralised, with Integrated Care Systems responsible for bolstering cyber resilience across their area since the move to statutory footing in July 2022. This fragmentation and geographic distribution across the nation creates complexity in maintaining a link to the direction set by the government, and the strategy aims to provide clarity on the roles of national teams, ICSs, health and care leaders, the cyber workforce, employees, and third-party suppliers.

Despite this devolution, the UK is united by the vision set out in the Government Cyber Security Strategy 2022 to 2030. The strategy pledges to continue to work collaboratively with the devolved governments towards a more cyber resilient UK-wide health and social care system.

The strategy sets out several other challenges, including:

  • High operational pressures, exacerbated by the pressures of the pandemic
  • Size and diversity of the sector
  • Complex supply chain with each provider using many suppliers
  • Unclear accountability
  • Limited cyber workforce
  • Fast pace of growth and development in the digital, data and technology space
  • Legacy technology

Later this year a full implementation plan will be published setting out activities and defining metrics to build and measure resilience over the next 2-3 years. The work will include:

  • Enhancing the NHS England Cyber Security Operations Centre
  • Publishing a comprehensive and data-led landscape review of cyber security in adult social care
  • Updating the Data Security and Protection Toolkit (DSPT) to empower organisations to own their cyber risk

techUK have an upcoming Cyber Security Summit, held at our London offices and organised alongside the NHS Transformation Directorate on 10th May. Sign-up here to attend.

Find out more about techUK’s work in cyber security here.

Authors

Alex Lawrence

Alex Lawrence

Programme Manager, Health and Social Care, techUK