The government has announced investment plans to increase the cyber security of the NHS and social care organisations.
In its latest report, the government outline a £50 million investment plan that is based on reviews and recommendations by the National Data Guardian and the Care Quality Commission review.
The report mentions the global WannaCry attack that badly affected NHS trusts across the UK in May. The attack, the report states, highlights the potential impact that cyber-attack can have on patient care.
As part of the plans, £21 million has been put aside for the UK’s 27 major trauma centres. The increase of these centres’ cyber-security capabilities is highlighted as an immediate priority, alongside the need to improve NHS Digital’s national monitoring and response capabilities. Each organisation will also have a named executive board member responsible for cyber-security.
To help support health organisations, NHS Digital will issue guidance on unsupported systems such as Windows XP, which is used by 3% of endpoints in healthcare. The plans give local organisations the date of April 2018 to have dealt with problem of unsupported systems.
The use of patient data is also referenced in the report, highlighting the need for transparency when patient data is used and why it is being used. This year will see NHS Digital’s data release register setting out how patient data is being used. By December 2018 individuals will be able to see who has accessed their summary care record and by 2020, they will be able to see who has used their data, the report states.
One of the likely instigators over the increased need for data transparency is the controversy between the Royal Free hospital and Google Deepmind. The two companies inappropriately used the data of 1.6 million patients to develop an app to help identify acute kidney injury (AKI).
For increased transparency patients will be given the choice to opt out of sharing their data beyond direct care across both the health and social care system.
The report also puts the National Data Guardian on a statutory footing and stronger sanctions will be introduced by May 2018 to protect anonymised data. Negligence or deliberate re-identification of individuals will be met with severe penalties.
Responding to the plans, NHS Digital Interim CEO said: “Our objective, alongside our partners in the NHS family, is to build and maintain public trust in data security and data sharing. Patients need to feel confident that their data is held safely and securely and information only shared for the benefit of health and care. We know that sharing data improves lives, but patients also have the right to make informed choices about whether they want to share their data. NHS Digital is committed to the principles set out in the NDG Review. We will work with public, patients, health professionals and partners to build understanding and trust that the data we hold is kept secure and shared safely. We look forward to delivering on the actions the Government Response describes.”