Wrapping up a year in healthcare: WannaCry, NHS Digital and the General Data Protection Regulation (GDPR)

2017 has seen a substantial increase in cyber attacks affecting healthcare organisations. One of the most notable incidents this year was the WannaCry ransomware attack, which is estimated to have affected 300,000 victim machines. Within the NHS, the attack led to the cancellation of approximately 14,778 patient appointments.

Despite the publicity around the WannaCry ransomware attack, this was not the only incident affecting healthcare organisations or patient data. In the first half of 2017, Gemalto’s Breach Level Index reported that healthcare organisations experienced 228 data breaches, resulting in 31 million stolen records.

Given the threat of a cyber attack to healthcare and the impact that this can have on the delivery of care, a recent report indicated a potentially worrying lack of preparedness among healthcare organisations:

  • 22% of healthcare IT professionals surveyed reported the presence of Windows 7 on their network. Windows 7 was the operating system exploited in the WannaCry attack.
  • 23% of UK healthcare IT professionals are ‘not confident’ in their organisation’s ability to respond to a cyber attack.
  • 26% of the healthcare IT professionals surveyed reported that their organisation would be “willing to pay a ransom in the event of a cyberattack.”

Managing threats in healthcare

In light of emerging threats, as well as recommendations from the National Data Guardian review, the Department of Health and NHS England released guidance this year on the Data Security and Protection (DSP) Toolkit due to replace the Information Governance (IG) Toolkit from April 2018.

Since November 2017, the DSP Toolkit has been piloted with 500 health and care organisations, and access for all health and social care organisations is due in January 2018.

At the forefront of IT networks and systems for health and social care, NHS Digital has developed frameworks to manage current and future security threats.

As a part of that, NHS Digital has recently revealed a plan to release £20m of funding to improve data security across the service. The investment will “provide enhanced monitoring of national services across health and care” and will boost existing NHS Digital services.

Dan Taylor, head of the digital security centre at NHS Digital explained that it will improve “current capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software” and “improve [NHS Digital’s] ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats”.

More information on IT Governance’s technical services.

Planning for the GDPR

A ‘hot topic’ in cyber security is the introduction of the GDPR. The GDPR will come into effect in May 2018 and will extend the data rights of individuals. Healthcare organisations will need to examine the scope of information that they process and take appropriate measures to comply with the Regulation.

Policy and guidance for NHS organisations is being developed by the GDPR working group, chaired by NHS England. In addition, NHS Digital will develop a checklist to support organisations looking to implement the GDPR’s requirements. Compliance with this checklist will be a requirement of the DSP Toolkit.

Organisations will need to assess their current level of compliance with the Regulation in order to identify and prioritise the key areas that they must address by May 2018. IT Governance works with organisations at all stages of the compliance process, regardless of size or complexity, to deliver expert solutions.

For more information, speak to an expert.

Healthcare and industry partnerships; managing relationships

As part of its 2017-18 business plan, NHS Digital has highlighted the role of industry partners in the delivery of its core agenda and will be working towards more strategic relationships with suppliers. Information governance and accountability will need to be deeply embedded in these relationships.

This is formally recognised in the DSP Toolkit, “Leadership Obligation Three – Technology”, which states that NHS organisations should “ensure that any supplier of IT systems (including other heath and care organisations) and the system(s) provided have the appropriate certification”.

For other suppliers to the NHS, the need to demonstrate certification to cyber security standards is one of competitive advantage. NHS Digital’s best-practice “Supply Chain Security” policy requires organisations to fulfil many of the requirements of cyber security certification, such as Cyber Essentials or ISO 27001, in order to be suitable as an NHS supplier.

For more information and solutions to governance, risk and compliance challenges visit our dedicated healthcare website.