The Department for Health and Social Care (DHSC) has published a new strategy to bolster cyber resilience in the UK’s health and social care services.
The strategy sets out a five-pillared approach to cybersecurity that will run until 2030. It focuses on protecting health services from cyber attacks and keeping sensitive data is protected.
“Working towards a cyber resilient health and social care sector is a significant challenge. The sector is made up of complex, interdependent systems with different risks and needs," Health Minister Lord Markham said.
“This strategy will shape a common purpose across health and social care against the most critical of those risks. It sets out an approach that will be applicable across health and social care systems including for adult social care, primary care, and our critical supply chain as well as for secondary care.”
The first of the five pillars is to develop a common understanding of risks and how they may vary across the sector. This will include finding a common language to measure risk, gathering data to build a system-wide threat picture and setting minimum standards for areas identified as risks.
The second is to leverage NHS capability, technologies and scale in a way which can also improve the cyber resilience environment for the wider sector. This requires health and social care organisations to work in partnership on their cybersecurity, sharing data, learning and resources to improve sector-wide resilience.
The third is to embed a culture of cybersecurity by ensuring leaders are engaged with cyber services, growing the cyber workforce and offering cyber training to staff.
Fourth is to engage with new technology, set standards for how they are built and implemented, and embed security into their governance frameworks. Steps involve engaging with critical suppliers, developing pathways to improve communications with them when responding to cyber threats and embedding the Cyber Assessment Framework into the Data Security and Protection Toolkit.
Fifth is ensuring that all organisations are equipped to minimise the impact of a cyber incident. This involves publishing expectations for incident response and reporting and carrying out ‘dry run’ exercises to practise responding to and recovering from a cyber attack.
The DHSC are planning to release an implementation plan by summer 2023, setting out planned activity for the next two to three years to support meeting the aims and goals of this strategy.
Next steps also involve providing funding for local cyber resources with national training support by 2025 and carrying out a review of cyber security in adult social care.