IG Toolkit to be scrapped as part of security reboot – Shaw

The information governance toolkit is likely to be “scrapped” as part of a packet of funding to improve cyber security in the NHS.

Speaking at EHI Live 2016, NHS Digital chief operating officer Rob Shaw said the current IG Toolkit was not delivering value.

“It doesn’t mean anything for you and it doesn’t mean anything for us,” he said. “We are trying to scrap the IG Toolkit.”

NHS Digital is planning to make a replacement information governance assurance system simpler. It is also likely to drop the link between a system and access to the N3 network or its successor HSCN, which will be available next year.

“It [IG toolkit] doesn’t give you anything. We are looking to change that. We are looking to make it more meaningful, looking to make it light-touch.”

Changes to the IG Toolkit were suggested in Dame Fiona Caldicott’s third review into information governance and data security in the NHS, released in July.

Shaw said health secretary Jeremy Hunt has specifically asked for the changes as part of the provision of extra funding to improve data security in the NHS, which will be delivered via a ‘cyber tech fund’.

In February, Hunt disclosed that the Treasury had set aside £4.2 billion of funding for NHS IT over the next five years, with £1 billion of this earmarked for cyber security initiatives and sorting out the NHS ‘long running problems with information governance and consent’.

Shaw told EHI Live: “This has been prioritised as one of the priority programmes.” However, he would not say how much funding was being made available.

He did say money would also be made available to improve security practices across the NHS, at a trust level, to reduce the risk of cyber-attack.

This will include helping trusts to move off, or isolate, obsolete technology and software, such as Windows XP or older unsupported browsers.

“Not all organisations can afford to do it, so we want to be able to say we can spend some capital in the right places to be able to support the NHS to protect itself.”

Much of this work is being done through NHS Digital’s CareCERT unit, set-up in September last year to improve data security in the NHS.

The unit is doing security “assurance assessments” of 100 NHS organisations this year and is planning more next year.

The fund is also supporting CareCERT’s national network monitoring, where Shaw said attempted cyber-attacks are regularly thwarted.

The focus on cyber security comes amid growing concerns about cyber threats to the NHS, which holds masses of sensitive patient data on often old and unsupported systems.

Even as Shaw was speaking, Northern Lincolnshire and Goole NHS Foundation Trust was struggling to contain a virus that had forced the shutdown of most of its systems.

In a bid to clean them, it has cancelled the majority of its appointments and operations across three hospitals for three days.

Shaw said NHS Digital was "engaged" with the trust, as was the Department of Health and NHS England but it was too early to comment in detail on a live incident.

“This wasn’t a big massive attack in terms of how it manifested itself,” he said. “It’s the impact that it had. “We will work with that trust and we have offered help to that trust to make sure they have remediated appropriately.”