Not long after the National Audit Office pulled up the NHS for failing to respond effectively to the WannaCry ransomware attack in May, NHS England has announced its new 2017/18 Data Security and Protection Requirements.
As per NHS’ new data security requirements, healthcare organisations must remove, replace, or mitigate risks from unsupported systems by April next year.
The new Data Security and Protection Requirements comes with a number of recommendations that healthcare organisations, both public and private, need to implement by April 2018. The data security requirements include changes in technologies used by such organisations, the need for hiring information security officers and implementing CareCERT advisories within 48 hours.
According to NHS England, the new set of data security requirements will help healthcare organisations in the UK prepare for a new assurance framework coming into place from April 2018.
The ten data security requirements that are part of the new checklist are as follows:
1. A named senior executive who will be responsible for data and cyber security.
2. Completion of level 2 of current Information Governance Toolkit. This will help NHS measure organisations’ progress against the 10 data security standards when the IG toolkit will be replaced by the new Data Security and Protection Toolkit from 2018-19.
3. Implementing GDPR requirements to ensure legal obligations are met in advance.
4. Information governance training to be imparted to all staff.
5. Acting on high severity CareCERT advisories within 48 hours.
6. A comprehensive business continuity plan must be in place to respond to data and cyber security incidents.
7. Reporting data security incidents to CareCERT in line with reporting guidelines.
8. Remove, replace or actively mitigate or manage the risks associated with unsupported systems by April 2018.
9. Undertake on-site cyber and data security assessments and act on the outcome of such assessments.
10. Checking whether IT systems suppliers have appropriate certification like Cyber Essentials Plus, Digital Marketplace or ISO/IEC 27001:2013 certification.
If healthcare organisations, both public and private, are able to meet the requirements by April next year, then not only will they be ready to comply with the GDPR but will also be ready to prepare for more stringent data security standards in the coming years.
‘Unlike more traditional enterprises, many healthcare organisations fear that the specialised legacy equipment and software may not run on more modern releases. This has resulted in a slower shift towards more modern operating systems in some organisations, where there are concerns about potential disruption to ongoing patient care if these critical solutions were to be disrupted,’ says Rob Bolton, Director and GM for Western Europe at Infoblox.
‘The first step for many NHS Trusts will be to identify these unsupported or out of compliance systems. Without accurate asset inventories of what’s on the network, organisations will face the challenge of not being able to patch that which they don’t know exists,’ he adds.
Last week, the National Audit Office, in a scathing commentary, noted that the spread of the WannaCry ransomware could have been curtailed had NHS organisations followed proper IT security guidelines.
NHS Digital conceded to the National Audit Office that all NHS trusts and organisations impacted by the ransomware attack ‘had unpatched, or unsupported Windows operating systems’. However, the office concluded that had such organisations managed their Internet-facing firewalls, they would have guarded their systems against infection.
‘The fundamental question facing the NHS now is what actions to take. Does it focus on improving patient care, ensuring adequate staffing levels, and maintaining the essential physical infrastructure to meet immediate healthcare needs. Or, does it improve non-essential IT infrastructure that can always be replaced by good old fashioned pen and paper,’ said Thomas Fischer, threat researcher and global security advocate at Digital Guardian.
‘What is clear from reviewing this report, is that the NHS’s approach to IT management will have to change, one way or another. Two obvious areas to start would be improving user training and awareness of cybersecurity and ensuring that there is enough available infrastructure to allow systems to be upgraded or patched in a rolling schedule, without negatively impacting productivity,’ he added.