GCHQ powers to access NHS IT systems is extended

The UK’s intelligence and security organisation powers to access information from NHS IT systems has been extended.

Government Communication Headquarters (GCHQ) was granted additional powers by former health secretary, Matt Hancock, in April 2020 in order to allow the organisation to request anything “relating to the security of any network and information system”.

The powers were due to remain in place until December 2020 but were extended, and have since been extended again to last until December 31 2021.

A direction, signed by the health secretary, states during the Covid-19 crisis “the network and information systems held by or on behalf of the NHS in England, or those bodies which provision public health services in England, must be protected to ensure those systems continue to function to support the provision of services intended to address coronavirus”.

The attempt to bolster cyber security during the pandemic allows GCHQ to request information held by or on behalf of the NHS and supports the provision of NHS services related to coronavirus for the purpose of “supporting and maintaining the security of any network and information system”.

The powers also cover networks and information systems which, if their security is impaired, affects the ability of the NHS to provide Covid-19 services.

A National Cyber Security Centre spokesperson confirmed there had been no changes to the directions given to GCHQ since the powers were granted in April 2020.

“This is part of our ongoing commitment to protect health services during the coronavirus pandemic,” they said.

“We have no desire to receive any patient data, and the directions do not seek to authorise this.”