NHS England to adopt new cyber security framework
- 3 September 2024
- NHS England and the National Data Guardian and have announced an updated cyber resilience framework for health and social care organisations
- The NHS Data Security and Protection Toolkit will transition to using the National Cyber Security Centreās cyber assessment framework
- This aims to align health and care with cyber resilience standards across other sectors
An updated cyber resilience framework for health and social care organisations has been announced by the National Data Guardian (NDG) and NHS England.
The change to how organisations measure and self-report their data security capabilities is part of the Department of Health and Social Careās āCyber security strategy for health and social care: 2023 to 2030ā, which aims to align health and care with cyber resilience standards across other sectors.
Starting from 2 September 2024, the NHS Data Security and Protection Toolkit (DSPT) will gradually transition from using the NDGās 10 data security standards to the National Cyber Security Centreās cyber assessment framework (CAF) as its underpinning assessment mechanism.
Dr Nicola Byrne, the NDG for health and adult social care in England, said: āI fully support this transition to the CAF.
āIt represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilienceā.
Dr Byrne added that she is committed to supporting NHSE in āmaintaining and advancing the highest standards of data security across health and careā.
The 10 data security standards were introduced in the NDG’s 2016 review of data security, consent, and opt-outs, with the aim of protecting patient information by encouraging a focus on three key areas: people, process and technology.
A joint statement from the NDG and NHSE, published on 2 September 2024, said: āWhile these core principles remain fundamental within the CAF, the rapidly changing landscape of technology and cyber threats requires the more advanced approach the CAF provides.”
NHSE will notify organisations when it is their turn to transition and guide them through the process. NHS Digital has published CAF-aligned DSPT guidance.
The change follows several high profile cyber attacks which have caused disruption to NHS services.
Pathology provider Synnovis is rebuilding its IT systems, following aĀ cyber attack in June 2024, which led toĀ thousands of patient appointments and operations being postponedĀ across south east London.
Meanwhile, NHS Dumfries and Galloway was theĀ target of a cyber attackĀ in March 2024, in which three terabytes ofĀ stolen patient data was publishedĀ on the dark web by a ransomware group.
The Scottish health board warned almost 150,000 patients to assume that their personal data had likely been stolen and published online following the incident.
In August 2024, NHS National Services Scotland confirmed that a sub-contractor of a third-party supplier to several NHS Scotland boards had experienced a ācyber incidentā, which led to mobile numbers of NHS staff being compromised.
The Kingās Speech on 17 July 2024, outlined prime minister Keir Starmerās plans toĀ introduce a new Cyber Security and Resilience Bill, which will expand regulation to cover more digital services and supply chains.
