NHS Digital, the organisation entrusted with using digital technology to transform the NHS and social care, recently deemed an NCSC-recommended Cyber Essentials Plus standard for hospitals and GPs as ‘not value for money’ as implementing the standard could cost the NHS between £800m and £1bn.
The Cyber Essentials Plus standard was prepared by NHS chief information officer Will Smart and recommended by the National Cyber Security Centre after NHS institutions across the UK bore the brunt of WannaCry ransomware attacks in April. In a review of the NHS' cyber security credentials, Mr. Smart said that the standard "should be the minimum bar that all health and social care organisations must meet."
Cyber Essentials Plus considered too expensive
The National Cyber Security Centre and the National Data Guardian Review have reccommended that all organisations must achieve Cyber Essentials Plus certification by 2021. The standard was also part of NHS England's 2017/18 Data Security and Protection Requirements that the body wanted all healthcare organisations, both public and private, to implement by April this year.
Aside from requiring healthcare organisations to train staff on information governance, report security incidents to CareCERT, act on high severity CareCERT advisories within 48 hours, undertake on-site cyber and data security assessments and remove, replace or actively mitigate or manage the risks associated with unsupported systems, the DSPR also mandated institutions to check whether IT systems suppliers had appropriate certification like Cyber Essentials Plus, Digital Marketplace or ISO/IEC 27001:2013.
Since Cyber Essentials Plus certification allows a healthcare institution to demonstrate that it has tools in place to prevent or detect cyber incidents, it is considered essential for a healthcare institution to secure NHS contracts.
Via a Freedom of Information request, Health Service Journal recently learned that NHS Digital has decided not to adopt Cyber Essentials Plus as adopting it would not be "value for money" as it would cost the NHS between £800m and £1bn.
Instead, according to a spokesman for the DHSC, while over £60 million has been invested so far to address key cyber security weaknesses in NHS hospitals and GPs, the department is planning to spend a further £150 million over the next two years.
NHS Digital devoting funds to Data Security Centre
In September, NHS Digital issued a tender valued between £700,000 and £850,000 for the creation of a cyber design authority team to support expanded data security centre responsibilities. It also issued a tender worth between £1.5 million and £1.65 million for the supply of a Project Management Office (PMO) and a Security Demand & Supply Management (SDSM) Team that would suppport an expanded Data Security Centre.
According to NHS Digital, the Data Security Centre enables the safe and secure use of data and technology by healthcare organisations to manage cyber security risk and to deliver improved patient care. The centre issues a range of cyber security threat notifications to health and care organisations, helps organisations to assess their data and cyber security practices, and undertakes a range of national and local monitoring services, designed to identify vulnerabilities, uncover suspicious behaviour and block malicious activity.
Recently, NHS Digital entered into a three-year strategic partnership with IBM to provide a range of services to healthcare organisations and to enhance NHS Digital’s capability to monitor, detect and respond to a variety of security risks and threats across the NHS.
"This partnership will enhance our existing Cyber Security Operations Centre which is delivered from NHS Digital’s Data Security Centre. It will give us, during times of increased need, the ability to draw on a pool of dedicated professionals from IBM.
"It will build on our existing ability to proactively monitor for security threats, risks, and emerging vulnerabilities, while supporting the development of new services for the future and enabling us to better support the existing needs of local organisations. This will ensure that we can evolve our security capability in line with the evolving cyber threat landscape," said Dan Taylor, Programme Director of the Data Security Centre at NHS Digital.