Organisations should appoint a board lead on data security and consider suspending IT access for any executive who fails to complete annual cybersecurity training, NHS England’s chief information officer has suggested.

Will Smart makes the proposals in his “lessons learned” review of the WannaCry attack, which hit 35% of NHS trusts in May last year and led some to divert ambulances from their A&E departments.

The paper includes 22 formal recommendations, many of which are changes at a national level – including the appointment of a chief information and security officer at NHS Digital.

But there are also several requests made of local organisations. And while the paper makes clear suspension of access is not “formally” recommended in the event of non-completion, it does state cybersecurity training should be made mandatory for all board members.

It also says boards must “regularly review” cyber security risks, and appoint a member to lead on data security issues.

Among the other recommendations related to local NHS organisations are:

  • Ensuring all staff have “regular and targeted cyber and information security awareness training appropriate to their job role”
  • Developing a local action plan to ensure compliance with the government’s Cyber Essentials Plus standard by June 2021
  • For NHS provider bodies, ensuring compliance with the new Data Security Protection Toolkit – to be available from April 2018 – and providing NHS Digital with details of compliance by March 2019
  • For CSUs, taking responsibility for coordinating a cyber response across primary care and CCGs
  • Ensuring disaster plans include cybersecurity, and that they assess the impact a loss of IT services would have on the healthcare system
  • Ensuring that contracts with IT suppliers “factor in and budget for” keeping software up-to-date, including security patches

The paper, which will be considered at this week’s NHS England board meeting, emphasises “action is required” to ensure sufficient IT staff are in post to support systems within organisations.

It suggests that pooling of resources will be critical in the event of a cybersecurity incident, and envisages sustainability and transformation partnerships as being a means of doing this.

On funding, the paper details that the additional £21m made available after WannaCry – used to address “key vulnerabilities” in major trauma centres and ambulance trusts – was diverted from the Personalised Health and Care 2020 programme.

This is the national scheme designed to ensure the NHS becomes paperless at the point of care.

The review goes on to describe a “rigorous reprioritisation exercise” as being underway across the whole NHS IT portfolio. The stated aim is to identify additional cybersecurity investment between 2018/19 and 2020/21.