The Cyber Security and Resilience (Network and Information Systems) Bill has been published, introducing regulation for companies providing IT and cyber services to the NHS “for the first time”, including reporting duties around cyber incidents and requirements for cyber mitigation plans.
Given the trusted access these companies hold to critical national infrastructure, government, and business networks, the Bill outlines clear security duties that will need to be met moving forward. “This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences,” the Department for Science, Innovation and Technology states.
Those organisations brought into the scope of the new Bill will now need to report serious cyber incidents to their regulator and the National Cyber Security Centre within 24 hours, share a full report within 72 hours, and notify customers likely to be impacted promptly. Included in this scope are data centres, in use for patient records, email services, and AI development.
Regulators will be granted new powers to designate critical suppliers to essential services like healthcare diagnostics, with the aim of closing down gaps in supply chains that could be exploited by criminals. Enforcement is also to be “modernised” to cover tougher turnover-based penalties for serious breaches, “so cutting corners is no longer cheaper than doing the right thing”.
Phil Huggins, national CISO for health and care at the DHSC, welcomed the Bill as “a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for”, adding: “Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape.”
Accompanying factsheets outline the Bill’s specific provisions for entities including data centres, managed service providers, and digital service providers, along with further guidance on incident reporting, information sharing, designating critical suppliers, and more.
Wider trend: Cyber security
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
Guidance from NHS England has outlined ways non-executive directors can contribute to keeping their organisation safe from cyber attack, with Jamie Saunders, non-executive chair of the NHS England Cyber Security Risk Committee, noting, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.” The aim is to provide a resource to support, understand and deal with cyber security risks, and how external assessments provide insights, along with what questions to ask yourself, the board, and the questions the board should ask.
NHS England has shared plans for the reprocurement of the cyber operations external attack surface management system, launching a market engagement process. The engagement intends to brief the market ahead of procurement of a solution to protect IT systems that are internet-facing against cyber threats, with the scope to be delivered as a national service to NHS organisations. So far, NHS England has outlined how the solution should build on previous lessons learned, helping to reduce cyber risks and improve the overall understanding of security weaknesses within the NHS. It should also use “severity-based prioritisation of remediation” to address vulnerabilities and concerns, especially around exposed assets.
