NHS England to adopt new cyber security framework
- 3 September 2024
- NHS England and the National Data Guardian and have announced an updated cyber resilience framework for health and social care organisations
- The NHS Data Security and Protection Toolkit will transition to using the National Cyber Security Centreâs cyber assessment framework
- This aims to align health and care with cyber resilience standards across other sectors
An updated cyber resilience framework for health and social care organisations has been announced by the National Data Guardian (NDG) and NHS England.
The change to how organisations measure and self-report their data security capabilities is part of the Department of Health and Social Careâs âCyber security strategy for health and social care: 2023 to 2030â, which aims to align health and care with cyber resilience standards across other sectors.
Starting from 2 September 2024, the NHS Data Security and Protection Toolkit (DSPT) will gradually transition from using the NDGâs 10 data security standards to the National Cyber Security Centreâs cyber assessment framework (CAF) as its underpinning assessment mechanism.
Dr Nicola Byrne, the NDG for health and adult social care in England, said: âI fully support this transition to the CAF.
âIt represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilienceâ.
Dr Byrne added that she is committed to supporting NHSE in âmaintaining and advancing the highest standards of data security across health and careâ.
The 10 data security standards were introduced in the NDG’s 2016 review of data security, consent, and opt-outs, with the aim of protecting patient information by encouraging a focus on three key areas: people, process and technology.
A joint statement from the NDG and NHSE, published on 2 September 2024, said: âWhile these core principles remain fundamental within the CAF, the rapidly changing landscape of technology and cyber threats requires the more advanced approach the CAF provides.”
NHSE will notify organisations when it is their turn to transition and guide them through the process. NHS Digital has published CAF-aligned DSPT guidance.
The change follows several high profile cyber attacks which have caused disruption to NHS services.
Pathology provider Synnovis is rebuilding its IT systems, following a cyber attack in June 2024, which led to thousands of patient appointments and operations being postponed across south east London.
Meanwhile, NHS Dumfries and Galloway was the target of a cyber attack in March 2024, in which three terabytes of stolen patient data was published on the dark web by a ransomware group.
The Scottish health board warned almost 150,000 patients to assume that their personal data had likely been stolen and published online following the incident.
In August 2024, NHS National Services Scotland confirmed that a sub-contractor of a third-party supplier to several NHS Scotland boards had experienced a âcyber incidentâ, which led to mobile numbers of NHS staff being compromised.
The Kingâs Speech on 17 July 2024, outlined prime minister Keir Starmerâs plans to introduce a new Cyber Security and Resilience Bill, which will expand regulation to cover more digital services and supply chains.
