The new National Cyber Security Centre became operational this week, and some of its first goals will be improving security practices in the NHS.
The centre has already been working closely with NHS Digital, and particularly with its CareCERT unit, which was set-up in September last year to protect, detect and respond to cyber security threats.
Speaking at the UK Health Show in London last week, the centre’s new health lead, Alison Whitney, said the sheer scale and complexity of the NHS meant it needed to be approached differently.
“There are 1.2 million users, and somewhere between 20,000 and 40,000 organisations… so I knew that the kind of models and approaches we used for central government just weren’t going to work.”
The centre will work primarily with national organisations, rather than with trusts, and particularly with the Department of Health, NHS England, NHS Digital and the Care Quality Commission.
The big focus will be on ensuring the integrity of large scale systems and networks, Whitney said.
This will include offering expert advice about the upcoming Health and Social Care Network, and helping to embed the recommendations of Dame Fiona Caldicott’s third review into data security and patient opt-outs into the NHS.
“It’s about supporting delivery of data quality and security across what is a really diverse sector.”
Another initiative that is being pursued is working with the CQC to include more cyber security focused questions in its inspections.
“We can get them to ask the right sort of questions about data security; [questions] that can influence some positive behaviours that will affect everybody.”
The centre is also looking into standards for anonymising data, which should be welcomed by NHS Digital, since it is currently facing an ICO complaint from MedConfidential over its anonymising practices.
“We are going to be drawing some research into anonymisation and hoping we can turn that into practical guidance.”
The National Cyber Security Centre was set-up to consolidate several disparate government cyber organisations, including the CESG or information arm of GCHQ, the Centre for the Protection of National Infrastructure, CERT-UK and the Centre for Cyber Assessment.
Ciaran Martin, who was director general of cyber at GCHQ, had been appointed chief executive but will continue to report to GCHQ in her new role.
Earlier at the UK Health Show, NHS Digital operations director Rob Shaw outlined how the work of the CareCert unit had uncovered frequent cyber-attacks on the NHS, from bedroom hackers to potentially state-sponsored attacks.
NHS Digital has recently expanded its CareCERT programmes to offer new services to help trusts defend against cyber-attacks and a support team to help them respond to a successful attack.