UK Government Sets Out Vision for NHS Cybersecurity

Written by

The UK government has published a new strategy designed to boost cyber-resilience in the health and social care sector by 2030, claiming it is key to building a sustainable, patient-centric NHS.

The goal is to help the sector’s disparate organizations improve cyber-risk management, data protection and incident response and recovery – driving trust in digital so that new technologies can be applied confidently.

Although the details will not be ready until summer, the government shared the five pillars of the new strategy, designed to minimize cyber risk and improve incident response:

  • Identify where disruption will cause the greatest harm to patients, such as disruption to critical services
  • Unite the sector to take advantage of scale, tap national resources and expertise, and accelerate response
  • Ensure leaders are engaged, employees know the cyber basics and more security specialists are recruited
  • Embed security into emerging technology to better protect it from cyber-threats
  • Support every health and care organization to minimize the impact of incidents and recovery time

The plan is underpinned by the National Cyber Security Centre (NCSC) Cybersecurity Assessment Framework (CAF), which itself has four objectives: manage risk; protect against attacks; detect security events; and minimize the impact of incidents.

The government cited phishing, automated vulnerability scans and fraud as among the top threats to the sector, but added that ransomware was the number one risk to the NHS and its suppliers.

Read more on NHS ransomware threats: Recovery From NHS Ransomware Attack May Take a Month.

The NHS is the oldest public healthcare system in the world and one of its biggest employers, with over 1.3 million staff.

Among the cyber-related challenges highlighted by the government are high operational demands 24/7, exacerbated by the pressure put on the health service by COVID and subsequent backlogs. It also pointed to the size and diversity of the sector, supply chain risks, legacy technology, a limited cyber workforce and unclear accountability lines.

The government said it will be outlining activities and defining metrics to build and measure resilience in the sector over the next 2–3 years.

What’s hot on Infosecurity Magazine?