Public Services > Healthcare

Government to invest £21m in beefing up NHS data and cyber security

David Bicknell Published 13 July 2017

Response to WannaCry attacks and National Data Guardian’s review includes £21m capital fund for major trauma centres and NHS contract change requiring organisations to adopt data security standards including contingency plans to respond to data security threats


The government has announced a major investment in data and cyber security in the wake of the recent WannaCry cyber attack in May 2017 and in response to National Data Guardian Dame Fiona Caldicott’s review of data security, consent and opt-outs.

It is a response to the recognition that cyber incidents such as WannaCry have the potential to impact directly on patient care and there is a need for the health and care system to “act decisively to minimise the impact on essential front-line services.

The measures, which include a new £21m capital fund for major NHS trauma centres, are outlined in the government’s Your Data: Better Security, Better Choice, Better Care  document. 

The document also announces that to strengthen the safeguarding of information, the National Data Guardian’s position will be put on a statutory footing with stronger sanctions introduced by May 2018 to protect anonymised data, including severe penalties for negligent or deliberate re-identification of individuals.

The response also announced plans to give patients and the public more access to, and control over, their personal data; build confidence in the importance of secure data to provide better individual care and treatment; and support research and planning across the health system

To mitigate the immediate risks with cyber security, the government said work is underway in parallel to determine the fastest and most cost effective way to support the NHS to move from unsupported operating systems, including Windows XP.

NHS Digital also plans to support local organisations by broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice across the health and care system, and carrying out on-site assessments.

In addition, the NHS contract has been changed so that NHS organisations are formally required to adopt data security standards recommended by the National Data Guardian including security training for staff, annual reviews of processes and extensive contingency plans to respond to threats to data security.

Health Minister Lord O’Shaughnessy said, “Better use of information and data has the potential to transform health and care for everyone. However, organisations’ resilience to cyber threats and the unimpeded, safe and secure flow of appropriate information and data across the health and social care system are critical to improving outcomes for all.

“People must be confident that systems are secure and robust. Recent incidents, including the May 2017 ransomware attack, which affected many other countries’ services as well as our own health and care system, have shown that the NHS can protect essential services in the face of a cyberattack, but they have also underlined the need for organisations to implement essential, strong data security standards.

“People want to know that their privacy and rights are safeguarded, understand how and when information about them is shared, and, how and when they can make an informed choice about whether to share their data or not.”

The government has said:

  • it will adopt and promote the 10 data security standards proposed by the NDG’s review.
  • It will adopt the CQC’s recommendations on data security.
  • NHS Digital will work with the health and care community to redesign and update the Information Governance Toolkit to support and underpin the new standards. This will take account of the relative needs and expectations of different organisations when considering their data security capability.
  • From September 2017, the CQC’s inspection framework will include the importance of meeting the data security standards. This will be supported by information from the redesigned Information Governance Toolkit.
  • This summer, NHS Improvement will publish a new ‘statement of requirements’ which will clarify required action for local organisations. Chief executives must respond to this with an annual ‘statement of resilience’, confirming essential action to ensure that standards are being implemented. This will include the requirement for each organisation to have a named executive Board member responsible for data and cyber security.
  • NHS Digital will build on its suite of advice and support services, CareCERT, which forms part of the Data Security Centre, to support health and care organisations prepare their own resilience to cyber security threats, and to respond effectively and safely when they occur.

Dame Fiona said she welcomed the government’s publication of Your Data: Better Security, Better Choice, Better Care.

She said, “Past failures to use patient data safely and respectfully have been well-publicised. But I believe that if the right steps are taken now, the great benefits of using such data can become just as familiar to the public in the future.

“There is still little public awareness of the way information collected by health and care services is currently shared, and that trust has not yet been earned. I believe that the implementation of my recommendations will be an important step in this process.

“I do not underestimate the challenges of this implementation. It will involve a great deal of work, including the building of technical solutions, support and training for staff, and not least culture change. Most importantly it will involve an ongoing conversation with the public about how data is used and what choices people can make.”

"The strengthening of cyber security within the NHS has been a long time coming and the wide-ranging response from the government this week is a big step in the right direction.

Neharika Ralhan, senior analyst specialising in health at GlobalData said, "The adoption of the ten data security standards outlined by the National Data Guardian in conjunction with recommendations made by the CQC allows for a comprehensive framework to be implemented that aims to safeguard data across the the NHS.

"The measures that are to be put in place, including a robust audit function, are widely considered best practice in other fields and with the increased threat of cyber and ransomeware attacks,  a back to basics focus is required for the NHS.

"In order to ensure effectiveness, timely delivery by NHS England and NHS Digital to apply the revised information governance toolkit is of upmost importance while ensuring that any initiatives put in place are championed across the system with a patient centric focus remaining at the core."

David Evans, policy director at BCS, the Chartered Institute for IT said, “The focus on ensuring that through CQC (Care Quality Commission) frameworks for organisations, and resources and services from NHS Digital, everyone understand the duties and broad options, is vital. The additional funding will be welcomed by NHS CIOs at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security."

He added, “One of the important aspects to consider as the details are developed, is ensuring that responsibilities are appropriate and proportionate. We need to make it clear and simple for NHS boards to discharge their duties, and ensure that NHS leaders know what their responsibilities are. However, the burden cannot solely be on their shoulders. They also need the proper professional support. The teams at NHS Digital and other centres of excellence will have tremendous expertise, but the scope of work across all of health and care in the UK means that a far broader community of IT professionals need to meet baseline standards.

“At the end of the day, the general public need to have assurance not only that hospital policies are in order, but that there are capable and accountable cyber professionals who are assuring that measures are appropriate and being carried out.

“The government plan is well-founded, but needs to be developed further and in different directions if public trust is to be placed fully on a system that has shown itself to be dangerously vulnerable. Just as patients rely on individual clinicians as well as hospital policies, the public needs to know that accountable and capable professionals are in the right places, particularly when a failing of an individual around cyber security can inflict far more damage than a negligent doctor.”

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.