Somerset ICS has published its latest board papers, offering key updates on their cyber security strategy, with the aim to fulfil five objectives surrounding the reduction of cyber risks within digital healthcare.
The strategy aims to ensure all organisations within the ICS are “compliant with the Network and Information Security Regulations by prioritising the protection of the operation of its essential healthcare functions”, while also trying to reduce the potential for any cyber-attacks.
Five objectives are outlined in order to achieve this: developing and embedding a cyber aware culture; improving cyber risk visibility and management; building robust third-party assurance; prioritising collaboration; and ensuring ongoing resilience.
The first objective focuses on improved governance, clear accountability and regular awareness campaigns. It places a strong emphasis on staff training to help improve understanding surrounding cyber risks. The ICS notes how there is already existing cyber governance within some of the organisations, however “this isn’t coordinated through a formalised governance structure” and as such there are plans to create a “formal cyber group” with clear mandates as of 2026.
In terms of training, the ICS recognises how each organisation currently has its own training systems in place, however this is mostly uncoordinated and not standardised. The ICS hopes to conduct a “training needs analysis” to identify staff risk levels and skill levels, before implementing tailored training courses conducted by standardised providers, in line with DSPT-CAF.
For the second objective, the strategy outlines plans to adopt a “common risk language” across all ICS organisations, creating clear visibility and understanding of cyber risks. There are also plans to establish a shared board and operational dashboard which can demonstrate system risks; improve understanding, prioritisation and monitoring of systems; and align management processes.
Objective three delves into building robust supply chain assurance through a “regularly reviewed” list of ICS suppliers who adhere to a set of standards and requirements for cyber security. This part of the strategy requires that ICS critical suppliers are centrally managed and that a “single 3rd party supplier management tool is used by all organisations within the ICS”.
Prioritising collaboration is the focus of the fourth objective, with plans to create a virtual cyber team to provide 24 hour reactive support for risk management. There’s also a focus on developing a common platform that “facilitates the sharing of knowledge, lessons and best-practices”.
Objective five looks at ways to ensure ongoing resilience through regular testing and the implementation of “fundamental technical cyber security controls and practices”, such as MFA. There are further plans to develop centrally managed, individual cyber security programmes aimed at “reducing ICS risk exposure” and “improving alignment” on policies.
The key takeaway from all five objectives is the need to create common processes and policies that can be implemented across the ICS organisations, so that everyone has “a similar experience irrespective of what organisation they are employed by”.
The ICS also highlights how cyber security is integral for all system partners, describing it as a “fundamental building block” for the wider Digital, Data and Technology (DDaT) strategy.
Read the full Somerset ICS Cyber Security Strategy to find out more.
Cyber security: wider trend
Over on LinkedIn, we asked our audience what the biggest priority should be for health and care cyber security – board level buy-in, workforce education, funding and resources, or mandating supplier compliance? The top spot was an even split between funding and resources and mandating supplier compliance, with each option attracting 34 percent of the vote.
In November, NHS England opened a market engagement stage, ahead of an upcoming NHS Cyber Risk Rating Platform tender, designed to support NHS organisations to “better understand their security posture” and their management of threats that could impact on operations and organisational data.
We recently also reported how Cheshire and Merseyside ICS selected Cynerio’s Healthcare Cybersecurity Platform for implementation at all 17 trusts within its footprint, as part of the ICS investing in defences to better protect patient data, minimise vulnerabilities and reduce disruptions to care.
Don’t miss out! HTN is delighted to announce the launch of the HTN cyber security professional network, designed to facilitate the sharing of best practice and ideas, and discuss challenges, approaches, learning, reflections, and more around cyber security in the NHS. The network will be an extension of our current programmes on cyber security, with an aim to connect peers across the industry, taking the form of closed online discussions. Learn more about the first planned session and how to join here.
