This article is part of our Essential Guide: Healthcare cybersecurity risks and management

Government launches seven-year NHS cyber strategy

The new Cyber Security Strategy for Health and Adult Social Care lays out a plan for promoting cyber resilience in the sector by 2030 to protect services and patients alike

The Department for Health and Social Care has launched a cyber security programme designed to enhance cyber resilience across the NHS and the social care sector in England over the next seven years, supposedly protecting vital services and the patients who rely on them.

The Cyber Security Strategy for Health and Adult Social Care, which forms part of a wider programme of work centred on building a “stronger, more sustainable NHS”, is built on five core pillars that the government hopes will both minimise the risk of cyber security incidents in the first place, and improve response and recovery should one occur.

These pillars are as follows:

  • To identify areas of the health and social care sector where cyber disruption would cause the most harm to patients, through data breaches or service downtime;
  • To unifying the sector to help its various constituent bodies take advantage of economies of scale, and benefit from national cyber resources and expertise, to help them respond faster to incidents and minimise disruption;
  • To enhance the sector’s security culture to engage leaders and grow the cyber workforce, and to enhance training for frontline clinicians and carers, and other staffers;
  • To embed security into the framework of emerging technology being taken up within the sector;
  • And to support health and care organisations to minimise the incident of, and recovery time from, cyber incidents when they happen.

The programme will also see enhancements made to NHS England’s existing Cyber Security Operations Centre (CSOC), the production and publication of a data-led landscape review of cyber security in adult social care, and updates to the Data Security and Protection Toolkit (DSPT) to help organisations own their cyber risk.

“We’re harnessing the power of technology to deliver better, safer care to people across the country – but, at the same time, it’s crucial we’re also bolstering the defences of our health and care services,” said health minister Nick Markham, Baron Markham.

“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future. This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.”

The health sector is currently experiencing a rapid transformation in how people use technology to access services and information – more than 40 million people now have an NHS login to book appointments, track referrals and manage medication, and over half of providers now use digital social care records.

As such, said the government, it is vital that the sector is able to protect these resources from malicious actors, and it believes the new strategy will prove a great help in enhancing its cyber resilience, which has already come on in leaps and bounds since the 2017 WannaCry incident.

NHS Trusts already benefit from a direct link to NHS England’s Cyber Security Operations Centre, which delivers real-time protection from suspicious activity to almost two million devices, and blocks approximately 21 million potentially dangerous emails every month.

An implementation plan setting out the proposed activity over the coming years is scheduled to be published during the summer of 2023.

Douglas McKee, principal engineer and director of vulnerability research at Trellix, said: “The healthcare industry is a core part of our critical infrastructure, entrusted with protecting lives and patient data. Despite this, healthcare systems are often outdated and run on legacy software, meaning they are an easy target for threat actors and are particularly vulnerable to attack. In fact, our recent research has found the healthcare sector has become the most prominent ransomware target, representing 16% of global attacks in Q4 2022.

“A successful breach could have a devastating impact on the healthcare industry, with the potential to compromise sensitive patient data or prevent healthcare professionals from providing necessary care. Amid rising risks, it is therefore crucial for healthcare organisations to enhance their security practices.

“With over half (54%) of security professionals in the healthcare sector believing organisations are held back by the limitations of their existing cyber security infrastructure – overhauling legacy systems and bolstering security measures is imperative.”

Read more about security in healthcare

Read more on Privacy and data protection