The UK Department of Health & Social Care has released a strategy, entitled “A cyber resilient health and adult social care system in England: cyber security strategy by 2030”. The goal of this strategy is to better equip the NHS with cybersecurity over the next seven years. The foreword by Lord Markham, the parliamentary under secretary of state, states that in a world increasingly reliant on digital services, protecting these services from cyber attacks, while ensuring citizens’ data is protected, is crucial for patient safety.
The five pillars to achieve this goal are: to focus on the greatest risks and harms; defend as one; people and culture; build secure for the future; and exemplary response and recovery. The strategy envisions a health and social care sector that is resilient to cyber attacks, with organisations better able to manage their cyber risk, protect data, and respond and recover swiftly from cyber attacks.
The document also outlines the desired outcomes of the five pillars. For example, the first pillar aims to create a common understanding of risks, increase visibility of the attack surface, have mitigations that are proportionate to the threat and potential harm, and have clear minimum standards for areas identified as key risks. The second pillar aims to have health and social care organisations work in partnership on cybersecurity, set clear expectations of leaders and boards on the risks they are held accountable for, and make full use of available services to respond to the greatest risks and harms for their organization.
The third pillar aims to have staff equipped with the skills and resources to address the cyber threat at all levels, recognise cyber security as a vital profession in health and social care, and create a just culture of learning and collaboration. The fourth pillar aims to have a system-wide approach to embed cybersecurity into organisational structures and technology. The fifth pillar aims to have a plan to respond and recover from cyber attacks in place, with regular testing and review.
National and regional cyber security teams need to work flexibly to address emerging threats and requirements, including developing horizon-scanning functions. This involves establishing engagement with critical suppliers to ensure their cyber security, improving communication pathways with and across these suppliers, and sharing guidelines to help organisations consistently integrate security into new supplier contracts. Additionally, the teams should incorporate the CAF as the primary cyber standard in the Data Security and Protection Toolkit and collaborate with local governments to ensure appropriate toolkit requirements for councils and their social care responsibilities. The strategy also recommends setting minimum expectations for IT lifecycle management across health, empowering organisations to tailor their cyber security approach, identifying and engaging with cross-organisational technology teams and organisations to ensure security considerations, and providing clarity on forthcoming policy.
The document emphasizes the role of ICSs in building secure systems and services by design, regularly engaging with organisations to ensure compliance with standards and frameworks, and establishing a cyber security programme that supports the strategy's objectives with outlined milestones and metrics.
To accomplish this objective, national and regional teams must establish clear incident response and reporting expectations, conduct national incident "dry run" exercises to develop response and recovery plans, collaborate with the National Cyber Security Centre to manage the technical response to a sector-wide attack, deploy Cyber Security Incident Response teams as necessary, investigate and report on lessons learned from cyber incidents to promote improvements, develop national resilience plans to manage the impact of critical national system loss or unavailability, and collaborate with national and regional emergency response and preparedness teams to integrate response and recovery planning into broader response arrangements.
The ICSs' responsibility is to define the recovery and response expectations and responsibilities for member organizations and ensure that both the ICS and all members have a rehearsed plan for responding to and recovering from a cyber attack, as well as managing system downtime during the attack. They should lead on ICS-wide dry-run exercises, evaluate outcomes from those exercises, develop central ICS resilience plans, understand the impact of critical system loss or unavailability, and agree on mitigation strategies for such scenarios.
To read the full document, follow the link: here