NHS Cyber Security Governance Update

The National Health Service (NHS) England, in collaboration with the National Data Guardian (NDG), has announced today a new cyber resilience framework for health and social care organisations. This framework aims to align NHS cyber security standards with those across other sectors.

This change, part of the Department of Health and Social Care’s 2023-2030 cyber security strategy, aims to bring health and care in line with cyber resilience standards used in other sectors.

Starting 2 September 2024, the NHS Data Security and Protection Toolkit will begin transitioning from the NDG’s 10 data security standards to the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its core assessment framework.

The initial phase will affect a select group of large organisations, with others following gradually. The CAF-aligned DSPT is set to focus on achieving outcomes rather than simply passing security controls, allowing organizations to tailor their approach to their specific needs, as reported on the original statement.

This change comes in response to several high-profile cyberattacks that have disrupted NHS services.

One notable incident occurred in June 2024 when pathology provider Synnovis was hit by a cyberattack. The attack resulted in the postponement of thousands of patient appointments and operations across south east London as the company worked to rebuild its IT systems.

In March 2024, NHS Dumfries and Galloway fell victim to a ransomware attack. The attackers stole three terabytes of patient data and published it on the dark web. This incident prompted the health board to warn nearly 150,000 patients that their personal information may have been compromised.

In August 2024, another cyber incident affected a sub-contractor of a third-party supplier to several NHS Scotland boards. The attack resulted in the compromise of mobile numbers belonging to NHS staff.

These attacks highlight the increasing vulnerability of healthcare organizations to cyber threats. As the reliance on digital systems grows, it is imperative for these organizations to invest in robust cybersecurity measures to protect patient data and ensure the continuity of essential services.