This Palo Alto Networks blog looks at the significant changes coming in cybersecurity for the NHS. We explore:
- The background and context of the changes
- A summary of the new cybersecurity requirements
- Other changes related to cybersecurity in the NHS
- Palo Alto Networks recommendations
In July 2017, the U.K. Department of Health issued a report that will radically change cybersecurity requirements related to personal health data for U.K. healthcare providers. “Your Data: Better Security, Better Choice, Better Care” is the department’s response to two reviews it had commissioned that were issued last year: the National Data Guardian for Health and Care’s “Review of Data Security, Consent and Opt-Outs” in June 2016, and the Care Quality Commission’s review, “Safe Data, Safe Care” in July 2016. The NDG examined data security and data sharing in the health and social care system, while the CQC reviewed current approaches to data security across the NHS. Each report provides multiple recommendations, all of which the Department of Health fully supports and plans to implement, bringing myriad new cybersecurity obligations for U.K. healthcare professionals. The NDG report also includes government decisions related to consent for patient data and new “opt-out” requirements. This blog is focused on the cybersecurity portion of the NDG report.
The Department of Health’s decision to issue new cybersecurity obligations is in the context of a range of factors. While its report acknowledges the widespread benefits resulting from the technological transformation of healthcare (including accelerated diagnostics and treatment, disease prevention, improved patient safety and research breakthroughs), the digitisation of patient data brings accompanying risks and a responsibility to keep systems and data secure. The department cited the recent global WannaCry ransomware attack of May 2017, which affected services including those in the NHS, as reaffirmation of the potential for cyber incidents to directly impact patient care.
The potential risks will only grow. Per the CQC report, data held by the NHS and the Information Commissioner’s Office show the scale of digital data transactions in the U.K.: the year up to 31 May 2015 recorded 6.5 billion data transactions across the whole NHS network. The NHS’ ambition is that by 2018, every citizen will be able to access their full health records online, and the NHS also has committed to making patients’ records “largely paperless” by 2020. These changes will increase the cyber risks related to the U.K. health system.
As the Department of Health states in its report’s foreword, the healthcare sector is extremely important to the U.K. economy. The country has global leadership in research related to treatment, for example. A secure healthcare sector is important not only to patient care but also to U.K. economic growth, and will contribute to the government’s goal of creating a U.K. that is “secure and prosperous in the digital age” per the U.K.’s 2016 National Cyber Security Strategy, as highlighted in this Palo Alto Networks blog.
The New Cybersecurity Requirements
The new requirements for NHS organisations are summarised below and can be found in Annexes A, B, and D of the Department of Health’s report.
Annex A lists the NDG report’s nine cybersecurity-related recommendations and the Department of Health’s responses and plans (Annex A also lists 11 data sharing and opt-out recommendations, which are not the focus of this blog). These nine include:
- New requirements for executives and boards. The government stresses that strong board leadership must view and prioritise data security as equal in importance to financial integrity and clinical safety. NHS Improvement will publish a new “Statement of Requirements” clarifying required action for local organisations, to which CEOs must respond with annual “Statements of Resilience” confirming essential action has been taken. This will include the requirement that each organisation name an executive board member responsible for data and cybersecurity. (The Statement of Requirements was due out in summer 2017, but has been delayed).
- Plans to require evidence of cybersecurity efforts through a redesigned Information Governance Toolkit, due out by April 2018. The redesigned toolkit will measure the extent to which individual organisations have embedded the ten new data security standards referenced below and use this as part of a scorecard to assess organisational “cyber capability”.
- Plans to increase penalties for breaches.
Annex B provides the Department of Health’s responses to the CQC recommendations. These include plans to include data security in the CQC’s inspections.
Annex D lists the 10 new mandatory data security standards proposed by NDG, which will be audited by the CQC. The first inspections of NHS trusts will begin in September 2017, with GPs and adult social care providers to be assessed starting in November 2017. The CQC inspection framework will be further developed by April 2018 as measures are rolled out. The Department of Health notes that the standards are designed to be fit for purpose now and in the future, and that organisations will be expected to understand and respond to changing and emerging threats.
The Department of Health acknowledges that making these changes will take time and resources and plans to make help available in terms of money and expertise. The U.K. government is targeting an initial £21 million of capital funding in 2017–18 to increase the cyber resilience of the 27 major trauma centres (on top of the £50 million identified in the Spending Review to address key structural weaknesses). NHS Digital will enhance the CareCERT suite of services (broadcasting of threat alerts, supporting threat mitigation, analysis of cybersecurity capabilities and other services) to further support health and care organisations, and plans to leverage the cybersecurity expertise of the National Cyber Security Centre.
These are not the only new cybersecurity-related changes the U.K. healthcare sector can expect in the near future. The U.K. is working on a new Data Protection Bill that was presented to Parliament for consideration on 14 September. This bill will update U.K. data protection laws and serve to implement the EU’s General Data Protection Regulation, or GDPR, which includes personal data breach notification requirements with accompanying administrative fines of up to €10,000,000 or 2 per cent of global turnover for noncompliance. In addition, the U.K. is in the process of implementing the EU’s Network and Information Security Directive, which all EU countries must implement by May 2018. The NIS Directive includes the healthcare sector, with the NHS named as an Operator of Essential Services, and imposes security and incident notification requirements upon them. The U.K.’s proposed approach to implementing the NIS Directive (currently out for consultation through 30 September) suggests potential fines on par with the GDPR. The U.K. will implement both GDPR and the NIS Directive despite its departure from the European Union, and has stated it remains a full member of the EU until Brexit negotiations are concluded and will continue to apply EU legislation, including the GDPR and NIS Directive, both of which go into effect in all EU member states as of May 2018.
The Imperative of Secure Healthcare
Palo Alto Networks agrees that cybersecurity in healthcare is an essential yet growing challenge. We work with healthcare organisations around the world to help them to enhance their cybersecurity posture to prevent successful cyberattacks. Like in the U.K., hospitals in the United States, for example, face new challenges with complex security regulations. We have written extensively about best practices to consider for effective protection of today’s healthcare networks to help prevent threats to connected medical devices, patient data and overall patient care.
On a more general level, like the Department of Health and other U.K. agencies, such as the NCSC, we believe cybersecurity is a business issue, not simply an IT issue, and should be elevated to a C-suite and board level. Palo Alto Networks is helping bring this message through our recent book, “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – United Kingdom”, written and released in conjunction with thought leaders from the U.K. public and private sectors. The book is an anthology of best practices, with advice from CEOs, Chief Information Security Officers, lawyers, forensic experts, consultants, and current and former U.K. government officials on issues such as compliance, business enablement, breach avoidance and response. We believe this book could be a useful resource to the NHS and their boards, which now have new obligations related to cybersecurity.
Next Steps and Recommendations
These forthcoming obligations may seem overwhelming, complex and time consuming for NHS organisations, but Palo Alto Networks is committed to helping U.K. healthcare organisations embrace the digital world safely and protect their business operations, patient data, and patients from successful cyberattacks.
Consider the following focus areas as you assemble a plan of action to exceed the aforementioned cybersecurity requirements:
- Document and implement a Risk Management Framework that addresses each of the “10 Steps to Cyber Security”, according to the National Cyber Security Centre (see below for infographic). Every healthcare organisation should periodically review their progress in each of these categories to ensure compliance.
- Read through the U.K. government’s Cyber Essentials Scheme for an example of a simple risk management framework that supports the 10 Steps to Cyber Security. Palo Alto Networks Next-Generation Security Platform directly supports many of the recommendations outlined in this document – namely those related to network security, malware prevention and monitoring.
- Connect with your peers at other health organisations and the experts in cybersecurity at NHS Digital to understand what cybersecurity strategies are working elsewhere (and those that are not working so well).