The eagerly anticipated government response to Dame Fiona Caldicott’s data security review has been released promising a multi-million pound boost to cyber-security fund and tougher penalties for data protection.
Published by Department of Health on 12 July, the report says that there will be an additional £21 million of capital funds investment to strengthen cyber-protection, initially of major trauma sites. This will be in addition to the £50 million fund already promised for NHS cyber security.
The government’s response says it accepts all 10 of the data security standards recommended by Dame Fiona Caldcicott’s report last summer. Today’s government response says the NHS Standard Contract 2017/18 has been changed so that NHS organisations must adopt these data security standards.
Dame Fiona’s report, published in July 2016, said that trusts should make security control as high a priority as financial control, and recommended a significantly tougher Information Governance Toolkit for trusts.
The NDG will be put on a statutory footing, which had been a Conservative manifesto commitment, and from May 2018 data protection legislation for new stronger sanctions will be introduced. The government is promising with severe penalties for negligent or deliberate re-identification of individuals.
Dame Fiona said that “new technological advances offer extraordinary opportunities for patient data to be used to improve people’s individual care and to improve health, care and services through research and planning”.
“We will only be able to harness those opportunities if the public trusts that the health and care system is doing all it can to keep patient data secure, to meet their expectations on confidentiality and to be transparent. I believe that the implementation of my recommendations will be an important step in this process and very much welcome the Government announcements today.”
The 12 May 2017, WannaCry attacks which saw parts of the NHS severely affected feature heavily in today’s response to the report.
The government has also said that the healthcare regulator, the Care Quality Commission, will assess cyber-security as part of its inspections.
Helen Stokes-Lampard, Chair of the Royal College of GPs, said the cyber-attack was a “wake-up call to many of us working in the health service about the fragility of the IT systems we are using, not just to keep our patients’ data safe, but to keep our surgeries functioning”.
There will also be a requirement for each organisation to have a named executive board member responsible for cyber-security. “Data security simply will not improve across the health and social care system without strong board level leadership which views and prioritises data security as importantly as financial integrity and clinical safety”, the report said.
The report said that it is a now a requirement that “significant cyber-attacks to be reported by health and care organisations to CareCERT as soon as possible following detection”.
Health minister, Lord O’Shaughnessy, said that “the NHS has a long history of safeguarding confidential data, but with the growing threat of cyber-attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS”.
Will Smart, NHS England chief information officer, will publish a review into the cyber-attacks October 2017. Immediate lessons learned include:
- Organisations must implement critical CareCERT alerts
- NHS England and NHS Improvement must follow up critical CareCERT alerts within 48 hours to ensure action has been taken
- Organisations should move away from unsupported systems by April 2018
The new information governance toolkit, currently under development by NHS Digital, will be in place by April 2018, the report said.
The government has also recognised the challenges specific to the primary care community, who are dependent on Clinical Commissioning Groups and GP systems suppliers for their IT provision.
“We will work with the GP systems suppliers to make sure the technology used in general practice is secure by default, and we will work with the primary care community to ensure that data security training meets its specific needs”, the report said.
29 August 2017 @ 17:39
Is there an audit trail for the patient or not? We should be told.. CCG says see GP. GP says see CCG OR FILE A COMPLAINT.
29 August 2017 @ 17:35
Closing the stable door…. I was one such victim of carelessness and blatant negligence. Instead of pursuing a complaint as supported by my MP and Dame Fiona, I decided to try to take on the many headed hydra and get closure by a less draconian measure, knowing I’d never eat lunch in this town again if taking on the NHS. Quelle erreur. After 18 months of obfuscation, every attempt has been blocked, websites have disappeared, an entire GP practice has dissolved, whole depts in the Trust hospital HQ likewise… Not one body can confirm the record is “shut off” as however thoroughly it is logically deleted, it will pop up even at an optician appt. During these 18 months of perpetual distressing limbo and weight loss, NHS Digital, quangos, franchises, CAPITA (who he?), HSCIC have sent the SAR when this is A Data Protection and FOI matter. I need to know who accessed my record and when, when unknowingly opted in without permission, whether they still are able to, and if services like opticians, dentists and pharmacists will see it on their terminals. Needless to say this is the tip of the iceberg as it is inextricably linked to a cover up and blatant attempt at discrediting me following two poor surgical outcomes. But I have tenaciously clung to the naive belief that the truth will out.
13 July 2017 @ 12:39
So when do we phase out Windows 7 ? Might as well do that now , rather than wait , oh but hang on how many system wont work with 8/8.1/10? Going to take a long time especially as there are still XP boxes out there without any proper support.
12 July 2017 @ 16:49
There are five requirements for good NHS cyberprotection:
1. Enough money, ringfenced, for the replacement of obsolete hardware and software
2. Clear, easily recognisable and easy-to-follow standards for cybersecurity. (Increased DPA fines and impossible-to-follow regulations such as GDPR are NOT a solution)
3. Thorough policing of these standards with penalties for organisations and individual managers who fail to implement them.
4. Attention to the workload of staff so they are given time to think and query suspicious emails.
5. Mandatory board-level involvement
12 July 2017 @ 20:04
Can’t find that much to disagree with on that list.
14 July 2017 @ 10:06
Thoroughly agree with everything on that list, especially 2). We really need some health-specific privacy and data protection legislation, like in the US, with guidelines which can be practically implemented. IG departments working on general principles either tend to the most risk-averse options and inhibit patient data sharing and care as a result or go the other way and allow things like DeepMind to happen. 5) is the most important though – this starts with leadership.
12 July 2017 @ 16:13
“Organisations should move away from unsupported systems by April 2018” – like, er, XP which was meant to be phased out by was it 2016? So long ago I forget even though I replaced an XP box recently and I think a few may still be lurking.