The health service is to adopt 10 data-security guidelines Credit: PA

Two months on from the havoc caused by the WannaCry ransomware attack, the Department of Health has announced plans to increase spending on cyber and data security to more than £50m, including a new £21m dedicated fund for use by England’s network of 27 major trauma centres. Elsewhere, digital systems are to be introduced to allow patients to track how their data is used, and by whom.

The department has published a report in response to two separate reviews into its data security measures,  conducted by watchdog the National Data Guardian and regulator the Care Quality Commission. 

The report, called Your Data: Better Security, Better Choice, Better Care, said that the government’s first funding priority will be a planned £21m capital spending pot for use by major trauma centres, which specialise in providing care for those who have suffered life-threatening or life-altering injuries. 

Related content

• NHS ransomware attack one month on: "The people who didn’t patch Windows 7 should be sacked"
• NHS cyber attack a 'wake-up call' for government
• ‘They should have planned it on Google Earth’ – UK cybercrime chief on the Hatton Garden heist’s folly and why WannaCry is a watershed moment

Allowing citizens to make better-informed choices about the use of their data is another target laid out in the report. This includes an online service – due to launch by the end of next year – which will allow people to see who has accessed their summary care record. By March 2020, this will be expanded to permit patients to see how personal data collected by NHS Digital has “been used for purposes other than their direct care”.

The DoH will also implement UK data-protection legislation in May of next year. This, the report said, “will provide a framework to protect personal data and will also impose more severe penalties for data breaches and reckless or deliberate misuse of information”.

The role and functions of the National Data Guardian will also be placed “on a statutory footing” by the department. Meanwhile, sometime in 2018, the Information Governance Alliance will also publish “anonymisation guidance based on the Information Commissioner’s Office Code of Practice on Anonymisation”, according to the report.

It added: “We will [also] clarify the legal framework by working with the Confidentiality Advisory Group to ensure its approvals process under Section 251 of the NHS Act 2006 enables organisations to access the information they need - for example for invoice validation.”

The report revealed that the National Data Guardian has defined 10 “data-security standards”, by which the department will adhere. These are printed in full below.

In the immediate term, NHS Digital is currently helping local trusts and other bodies by broadcasting alerts about cyber threats, carrying out assessments on site, sharing best-practice guidelines and advice, and offering a hotline which local entities can ring when dealing with a security threat.

The DoH is also looking to define the quickest and cheapest way to help NHS bodies in migrating away from Windows XP and other unsupported operating systems. 

Health minister Lord O’Shaughnessy said: “The NHS has a long history of safeguarding confidential data, but with the growing threat of cyberattacks – including the WannaCry ransomware attack in May – this government has acted to protect information across the NHS.

He added: “Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”

The National Data Guardian’s 10 Security Standards

• All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is shared for only lawful and appropriate purposes
• All staff understand their responsibilities under the National Data Guardian’s data-security standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
• All staff complete appropriate annual data security training and pass a mandatory test, provided through the redesigned Information Governance Toolkit.
• Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All instances of access to personal confidential data on IT systems can be attributed to individuals.
• Processes are reviewed at least annually to identify and improve any which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
• Cyberattacks against services are identified and resisted and CareCERT security advice is responded to. And that action is taken as soon as possible following a data breach or near miss, with a report made to senior management within 12 hours of detection. Significant cyber-attacks are to be reported to CareCERT immediately following detection.
• A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
• No unsupported operating systems, software or internet browsers are used within the IT estate.
• A strategy is in place for protecting IT systems from cyber threats, based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
• IT suppliers are held accountable via contracts for protecting the personal confidential data they process and for meeting the National Data Guardian’s data-security standards.