The government is investing £21 million to boost cyber-resilience of 27 NHS trauma centres as an 'immediate priority' and will invest a total of £50 million on data and cyber security this year.
The government aims to ensure that IT systems belonging to the NHS are secure and that patients are better informed on how their information is shared.
Following the WannaCry ransomware attacks which exposed the vulnerability of several IT systems belonging to the NHS, the government has adopted and agreed to implement ten data security standards as suggested by Dame Fiona Caldicott, the National Data Guardian for Health and Care (NDG), in her report titled 'Review of Data Security, Consent and Opt-Outs.'
Royal Free NHS Trust shared 1.6m patient records with Google DeepMind without prior consent
The government's action plan now includes ensuring the security of IT systems that health and social care organisations use to deliver care, and that patients should be better informed on the basis upon which their information may be shared by NHS institutions.
The action plan also embodies recommendations from the Care Quality Commission (CQC) who proposed a new model for data sharing. The same will be included in the redesigned Information Governance Toolkit from September this year.
The government is, as an immediate priority, investing £21 million to boost cyber-resilience of IT systems belonging to 27 trauma centres that include King’s College, St Mary’s , Royal London and the Manchester Royal Infirmary. Aside from replacing outdated operating systems like Windows XP, the fund will also be used to improve NHS Digital's national monitoring and response capabilities.
The government will also invest a total of £50 million this year to address key structural weaknesses in the health and care system. This is in line with Health Secretary Jeremy Hunt's promise to upgrade all outdated systems by March next year.
NHS doctors using SnapChat to share patient scans and other records
The government has directed NHS Digital to use these funds to support new data security standards and introduce health and care organisations to tools that can identify potential vulnerabilities. The government will also work with NHS institutions to assess whether existing frameworks like Cyber Essentials Plus and ISO2700 will meet their particular needs.
The government has also announced that it is now adopting a new approach to data security. While it aims to ensure that sensitive information will be shared securely and appropriately, it will also ensure that patients will be able to make informed choices about how their information will be used and protected.
'By December 2018, people will be able to access a digital service to help them understand who has accessed their summary care record. By March 2020, people will be able to use online services to see how their personal confidential data collected by NHS Digital has been used for purposes other than their direct care,' it added.
Patients will also have the option to opt out of sharing their data beyond their direct care. This will prevent NHS institutions from sharing their data with third parties for experimental purposes or other initiatives. Last week, the ICO found the Royal Free NHS Foundation Trust guilty of sharing personal information of 1.6 million patients with Google DeepMind without adequately informing patients on how their data would be used.
The three-dimensional data security problem
The Trust admitted that it shared 1.6 million 'partial patient records containing sensitive identifiable personal information' with Google DeepMind to 'develop and deploy a new clinical detection, diagnosis and prevention application and the associated technology platform'.
“Better use of information and data has the potential to transform health and care for everyone. However, organizations’ resilience to cyber threats and the unimpeded, safe and secure flow of appropriate information and data across the health and social care system are critical to improving outcomes for all,” said Health Minister Lord O’Shaughnessy.
“People must be confident that systems are secure and robust. Recent incidents, including the May 2017 ransomware attack, which affected many other countries’ services as well as our own health and care system, have shown that the NHS can protect essential services in the face of a cyber-attack, but they have also underlined the need for organizations to implement essential, strong data security standard,” he added.