The Department for Science, Innovation and Technology has outlined plans for the Cyber Security and Resilience Bill, noting measures to enhance oversight, regulating the supply chain, and progressing CAF’s basic and enhanced profiles.
It first looks to bring more entities under the scope of the regulatory framework, to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains” including interconnectedness, which it states can have “cascading effects on our essential services”. Managed service providers offering core IT services will also be brought into the scope, whilst the government is similarly looking to enable regulators to designate “critical suppliers” and set stronger duties for the supply chain.
The measures also aim to enhance oversight, with a focus on CAF’s basic and enhanced profiles, “making it essential for organisations to follow best practice and easier for them to do so”. According to the statement, this move will “ensure that firms can invest in cyber security with greater clarity on what is required and make it simpler for the regulators to oversee the requirements”.
The Bill will reportedly expand incident reporting criteria, widening the scope of reportable incidents to cover incidents which are “capable of having a significant impact on the provision of the essential or digital service, and incidents that significantly affect the confidentiality, availability, and integrity of a system”, including compromises in data confidentiality, and spyware attacks using firms providing digital services “as a vector to access other organisations”.
A two-stage reporting structure will be introduced requiring regulated entities to notify their regulator and the NCSC of a significant incident within 24 hours, and to submit an incident report within 72 hours. Firms that offer digital services and data centres will also be required to inform customers “who may be affected” of a significant incident.
The Information Commissioner’s Office will also be granted greater information gathering powers “to assist them in determining the criticality of regulated digital services and their risk-based approach”, with firms providing digital services required to provide information to the ICO upon registration, expanded criteria for the ICO to serve information notices on firms, and new powers for the ICO to “enforce a failure to register”.
These measures look to ensure the regulatory framework can keep pace with the “ever-changing cyber landscape” by bringing in new powers for the Secretary of State to update the Bill without an Act of Parliament, “to ensure it is current and effective”.
In a ministerial foreword, Peter Kyle, DSIT Secretary of State, acknowledges that whilst the cyber landscape “moves exponentially”, the statement focuses on measures developed “to tackle the threats that we are facing now”, adding: “Our legislative proposals reflect the insights we have gathered from our international partners, including valuable lessons from the European Union on the implementation of its NIS2 regime. They are also informed by consultations conducted by the previous Government in 2022 and 2023.”
Approaches to cyber security from across the NHS
We were joined for a recent HTN Now webinar focusing on sharing best practices around cyber security, by an expert panel including Neill Crump, digital strategy director at The Dudley Group NHS Foundation Trust; Nasser Arif, cyber security manager at London North West Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust; and Martin Knight, privileged access management at Imprivata. The session focused on key considerations for NHS organisations in their approach to cyber security, assessing cyber security maturity, good cyber security practice, the challenges in this area and tips to overcome them.
The European Commission recently published an EU action plan developed to guide hospitals and healthcare providers in increasing their cyber security. Referring to the plan as “an important step in shielding the healthcare sector from cyber threats”, the commission focuses on enhancing threat detection, preparedness and response capabilities of hospitals and health providers.
North West London ICS’s latest board meeting shared insights into the developments in the region, including challenges around cyber resilience, digital in primary care, an update on its digital programmes and progress towards integrated neighbourhood teams. The ICB noted its application for £1.15 million in NHSE Cyber Risk Reduction funding not yet received, the ongoing development of NWL’s cyber strategy with a target completion date of the end of the financial year, continued progress around the London Shared Care Record and optimisation work around its acute provider EPR.
