A final report on the Health and Social Care Information Centre’s data security programme plans is set to be completed by February next year.
An update on the programme is included in a report on its wider cyber security work for its September board meeting.
In June, the HSCIC announced that it would establish a data security programme across health and social care, after health secretary Jeremy Hunt asked the organisation to ensure that patient data is kept and treated securely across the health and social care system.
The HSCIC set out a series of proposals that the data security programme would cover, including strengthening compliance through requiring certification that organisations are meeting information governance requirements and working with commissioners, and that regulators such as the CQC include governance in the inspection regime.
The proposals also include “providing an approved framework of suppliers of services such as penetration testing, security audits, physical security and training,” and putting in place an independent audit programme and national security strategy.
The September report says the data security programme is being managed as part of the overall cybersecurity programme, and has encountered a number of delays “due to the complicated nature of the procurement process”.
“However, these have now been resolved and the project team is confident in the timelines provided in the plan.”
The report says multinational defence technology company QinetiQ has been chosen for the data security project following lengthy discussions with suppliers, and started work at the start of September.
It identifies one potential risk as a lack of positive response from over 110 health organisations that the HSCIC has contacted, looking for volunteers for a baselining exercise.
There are also risks with procurement delays due to the “complexity and scale” of the project, with the project plan revised to account for potential challenges.
The report says a first draft of the strategic outline case for the wider cybersecurity programme has been completed and sent to internal stakeholders for review, with the final case expected to go through the HSCIC’s corporate assurance panel process at the end of September.
“The final results of this project will be an agreed cyber security risk assessment which will detail the key risks and threats HSCIC should address, and a considered cyber security risk appetite which will inform future strategic decisions and programmes.”
The report says testing at the volunteer organisations will run from September to November, with development and review of the report taking place from October to December.
An interim report will be presented to the HSCIC in mid-December, with a final approval and refinement process running from January to February 2015.
An HSCIC spokesperson told EHI: “Following a comprehensive engagement process with the supplier community, QinetiQ was selected to work with the HSCIC on the Assuring Data Security Project.
“The complex and important process of developing a detailed delivery specification and plan is well underway, in close consultation with a range of stakeholders.
“The initial scope of the project extends to health organisations and engagement work has begun with volunteer organisations. This period also signals a significant amount of testing, review and refinement stages over the coming months.”