New cyber security strategy for health and social care

The Department of Health and Social Care launched its cyber security strategy for the health and social care sector yesterday. The strategy will apply to adult social care, primary care, secondary care and the wider integrated care system and their integrated care boards, with the aim that they achieve cyber resilience by no later than 2030.

In an increasingly digitised health and social care system – technology and data are critical to providing effective care from diagnostic machines to patient booking systems to digital health records – cyber security is a critical factor to patient safety.

Although the sector’s cyber defences have improved over the past few years and since the WannaCry cyber-attack in 2017, the strategy recognises that the sector “still has further to go” and that it is an “ambitious body of work” but “working collaboratively” across the system will help protect services and patients from future threats in the long term. It says that the most significant cyber threat the sector faces is ransomware causing the “complete loss of clinical and administrative IT systems, resulting in significant disruption to health and social care services…”.

Health and care organisations can expect a full implementation plan to be published in summer 2023 setting out detailed activities and defining metrics to build and measure resilience over the next two to three years. In the interim, integrated care systems are tasked with developing cyber security strategies across their areas and allocating funding to deliver the strategy.

Underpinning the strategy are five pillars with specific asks of ICSs which we’ve set out for reference.

Pillar 1: Focus on the greatest risks and harms

ICSs will

• identify and record risks within their ICS, including supplier cyber risks, that would affect the local system’s ability to function
• engage with a plan at ICS level to mitigate risks, invest and review progress
• ensure cyber risk is reviewed as part of broader corporate risk management
• ensure providers maintain an understanding of their suppliers’ cyber security controls and risks

Pillar 2: Defend as one

ICSs will

• create an ICS-wide cyber security strategy to drive security across the system
• allocate funding to deliver the strategy, establishing governance to review and align plans and ensuring member and wider partner involvement
• align with agreed cyber security standards when using existing and new cross-organisational systems

Pillar 3: People and culture

ICSs will

• develop an appropriately resourced and accountable cyber security function to manage cyber risk
• develop strategies to recruit and maintain an adequate cyber support function through a combination of ICS and organisation resource
• embed cyber security decisions into multi-disciplinary forums across the ICS to ensure a holistic cyber security culture with the support of the ICP
• encourage collaboration across organisations to share good practice and address deficiencies, supported by the ICP highlighting where coordination is needed and holding partners to account on delivering key priorities
• lead by example in implementing a ‘just culture’ at ICS level in approaching any identified cyber vulnerabilities

Pillar 4: Build secure for the future

ICSs will

• build systems and services cyber secure by design, including engaging suppliers on their cyber security in alignment with national engagement
• regularly engage organisations on compliance with standards and frameworks
• develop a cyber security programme underpinning the objectives of the strategy and outline milestones and metrics

Pillar 5: Exemplary response and recovery

ICSs will

• outline responsibilities and expectations of member organisations for response and recovery, as well as for a central accountable function
• ensure the ICS and all members have a rehearsed plan for responding to, managing system downtime during, and recovering from a cyber attack
• engage with and understand outcomes from dry-run exercising and post-incident reviews, identifying and responding to common themes for their ICS
• lead on ICS-wide incident response ‘dry run’ exercising
• develop central ICS resilience with the impact of loss or unavailability of critical ICS-wide systems understood and mitigations agreed

Comment

ICSs will play a central role in the sector’s work to build cyber resilience, but it comes at a time that ICBs are challenged with making 30% efficiency savings so references to recruitment are likely to be problematic when ICBs look to reduce their running costs – most of which is made up of their staff.

There are also several issues around procurement processes which we see as issues that may jeopardise the success of the strategy implementation:

• Providers of health and care will need to bake cyber-security (the security of electronic devices, networks and software) into their procurement processes and documents and their contracts.
• For sector participants that use frameworks to procure, even the frameworks that feature considered security provisions are likely to need to be treated as a ‘starter for ten’ (many will need to be clarified to ensure they align with and support the new strategy).
• The strategy proposes a risk-based approach so that ICBs, Trusts and other ICS participants (for example) identify the key devices and applications that they rely on and particularly focus on securing those. That should drive ICS participants to review their contracts with suppliers that provide or underpin the key devices and applications: some contracts and the tech specifications under them might need to be revised or supplemented to take account of the risk rating.

If you’d like to discuss any of the issues raised here or if you require support with implementing your cyber security strategy do get in touch.