Health and care organisations will have to take measures to improve data protection and security as the Government pledges to adopt a new approach to technology following the WannaCry scandal earlier this year.
Given the mass disruption caused by the cyber attack on the NHS, which exploited unpatched Windows operating systems, it is unsurprising that a key recommendation in the newly-published 2017/18 Data Security and Protection Requirements document is:
- Unsupported systems: Your organisation must: Identify unsupported systems (including software, hardware and applications); and
- Have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems
Other obligations outlined in the report include appointing a named senior executive to be responsible for data and cyber security in each organisation; training all staff in data protection and security; and improving planning and responses to cyber security threats and incidents.
The 13-page document, written by the Department of Health, NHS England and NHS Improvement, sets out the steps all health and care organisations will be expected to take over the next 12 months to demonstrate that they are implementing the 10 data security standards recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, prior to a new assurance framework coming into place from April next year.
This new Data Security and Protection Toolkit replaces the Information Governance Toolkit and will form part of a new framework for assuring that organisations are meeting their statutory obligations on data protection and data security.
Both the 10 data security standards, and the 2017/18 requirements, apply to all health and care organisations and any other individual or body contracted to provide services under the NHS Standard Contract.
While there is a significant challenge and cost that must be managed with regards to such a project, the Department of Health is right to encourage NHS trusts to bring updating outdated operating systems up the priority list
Commenting on the publication, Rob Bolton, director and general manager for Western Europe at Infoblox, told BBH: “As WannaCry demonstrated, vulnerable operating systems and software pose a significant threat to hospital services, with potentially-devastating results.
“While there is a significant challenge and cost that must be managed with regards to such a project, the Department of Health is right to encourage NHS trusts to bring updating outdated operating systems up the priority list to ensure they reduce the risk of being hit by a similar attack in the future.
“The first step for many NHS Trusts will be to identify these unsupported or out-of-compliance systems.
“Without accurate asset inventories of what’s on the network, organisations will face the challenge of not being able to patch that which they don’t know exists.”