Over the last two years, the NHS has embarked on one of the most ambitious and aggressive cyber security programmes seen in any health and care system in the world.
A huge amount of work has been done, both at the local and national level, and we have seen significant improvements in three key areas:
We know that more still needs to be done to maintain the safety, privacy and trust of patients as we improve our health and care system’s use of data and digital technology, but we have made significant progress in several key areas.
We cannot be complacent. The threat we face is growing and constantly changing – and it will require a continued and concerted effort across the health and care system to effectively combat it.
In September 2019, we announced a new Secure Boundary deal with Accenture to deliver additional security monitoring and prevention defences for the multiple internet connections in use across the system. We now provide threat scanning tools for internet-facing services run by local organisations and have also opened up online training licenses for IT and security staff to improve skills across the system.
A key recommendation from the NHS CIO’s WannaCry report was for all large NHS Organisations (422 as of August 2019) to achieve CE+ certification by June 2021. NHS Digital itself has been conducting on-site security assessments across the NHS trusts. This assessment covers compliance with the Cyber Essentials and IT HealthCheck standards and produces a score based on the readiness of an organisation to be CE+ certified. Since the NHS CIO’s recommendation, the average readiness score has risen from 48% at the time of the CIO’s report to 70% in September 2019.