The eagerly anticipated government response to Dame Fiona Caldicott’s data security review has been released promising a multi-million pound boost to cyber-security fund and tougher penalties for data protection.
Published by Department of Health on 12 July, the report says that there will be an additional £21 million of capital funds investment to strengthen cyber-protection, initially of major trauma sites. This will be in addition to the £50 million fund already promised for NHS cyber security.
The government’s response says it accepts all 10 of the data security standards recommended by Dame Fiona Caldcicott’s report last summer. Today’s government response says the NHS Standard Contract 2017/18 has been changed so that NHS organisations must adopt these data security standards.
Dame Fiona’s report, published in July 2016, said that trusts should make security control as high a priority as financial control, and recommended a significantly tougher Information Governance Toolkit for trusts.
The NDG will be put on a statutory footing, which had been a Conservative manifesto commitment, and from May 2018 data protection legislation for new stronger sanctions will be introduced. The government is promising with severe penalties for negligent or deliberate re-identification of individuals.
Dame Fiona said that “new technological advances offer extraordinary opportunities for patient data to be used to improve people’s individual care and to improve health, care and services through research and planning”.
“We will only be able to harness those opportunities if the public trusts that the health and care system is doing all it can to keep patient data secure, to meet their expectations on confidentiality and to be transparent. I believe that the implementation of my recommendations will be an important step in this process and very much welcome the Government announcements today.”
The 12 May 2017, WannaCry attacks which saw parts of the NHS severely affected feature heavily in today’s response to the report.
The government has also said that the healthcare regulator, the Care Quality Commission, will assess cyber-security as part of its inspections.
Helen Stokes-Lampard, Chair of the Royal College of GPs, said the cyber-attack was a “wake-up call to many of us working in the health service about the fragility of the IT systems we are using, not just to keep our patients’ data safe, but to keep our surgeries functioning”.
There will also be a requirement for each organisation to have a named executive board member responsible for cyber-security. “Data security simply will not improve across the health and social care system without strong board level leadership which views and prioritises data security as importantly as financial integrity and clinical safety”, the report said.
The report said that it is a now a requirement that “significant cyber-attacks to be reported by health and care organisations to CareCERT as soon as possible following detection”.
Health minister, Lord O’Shaughnessy, said that “the NHS has a long history of safeguarding confidential data, but with the growing threat of cyber-attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS”.
Will Smart, NHS England chief information officer, will publish a review into the cyber-attacks October 2017. Immediate lessons learned include:
- Organisations must implement critical CareCERT alerts
- NHS England and NHS Improvement must follow up critical CareCERT alerts within 48 hours to ensure action has been taken
- Organisations should move away from unsupported systems by April 2018
The new information governance toolkit, currently under development by NHS Digital, will be in place by April 2018, the report said.
The government has also recognised the challenges specific to the primary care community, who are dependent on Clinical Commissioning Groups and GP systems suppliers for their IT provision.
“We will work with the GP systems suppliers to make sure the technology used in general practice is secure by default, and we will work with the primary care community to ensure that data security training meets its specific needs”, the report said.