The UK government is to invest £21m in a bid to beef up cybersecurity within the NHS in the wake of the devastating WannaCry cyber-attack that took many of the organization’s services offline and had a detrimental effect on patient-care.
Jeremy Hunt, the health secretary, wants the additional money to be used to thwart future malware attacks to ensure operations and appointments are not disrupted in major medical centers.
The £21m will be shared between 27 major trauma centers across England. Hospitals including King’s College, St Mary’s , Royal London and the Manchester Royal Infirmary will all receive funding to update IT systems, improve staff training and raise awareness of how to deal with cyber-threats.
“Better use of information and data has the potential to transform health and care for everyone. However, organizations’ resilience to cyber threats and the unimpeded, safe and secure flow of appropriate information and data across the health and social care system are critical to improving outcomes for all,” said Health Minister Lord O’Shaughnessy.
“People must be confident that systems are secure and robust. Recent incidents, including the May 2017 ransomware attack, which affected many other countries’ services as well as our own health and care system, have shown that the NHS can protect essential services in the face of a cyber-attack, but they have also underlined the need for organizations to implement essential, strong data security standard,” he added.
The investment comes as part of the government’s response to the UK’s National Data Guardian Dame Fiona Caldicott’s review of data security, consent and opt-outs, as well as the subsequent consultation with the public on these issues.
In the report Your Data: Better Security, Better Choice, Better Care document, the Department of Health and its partners outline the commitments it has made to ensure data is shared in a safe, secure and legal way.
As well as the £21m of funding towards trauma centers, the commitments include putting the National Data Guardian’s position on a statutory footing, and implementing the UK data protection legislation in May 2018 which will provide a framework to protect personal data and impose more severe penalties for data breaches and reckless or deliberate misuse of information.
The government said it would also aim to determine the fastest and most cost-effective way to support the NHS to move away from unsupported operating systems such as Windows XP. It said it would boost investment in data and cybersecurity above the earmarked £50m identified in the Spending Review to address key structural weaknesses, such as unsupported systems, and increase NHS Digital’s national monitoring and response capabilities.
In addition, the department will enable what it called ‘informed individual choice on opt-outs’ – an area in which it has been embroiled in controversy because of its failed Care.data program which was criticized for aiming to exploit patient data without consent. It said that NHS Digital would develop and implement a mechanism to de-identify data on collection from GP practices by September 2019, and that by 2018, people should be able to access a digital services to understand who has accessed their summary care record.