Comment Blog 24 November, 2017

Securing the NHS. How cybersecurity must underpin its digital transformation

Last week, Reform hosted a policy roundtable on securing data in the NHS, led by Sir Ian Andrews, Senior Independent Director, NHS Digital. The event was held in partnership with Palo Alto Networks, under the Chatham House Rule. The event revealed just how far the NHS is using data within its organisations and sharing more data with outside agencies. Such sharing, particularly with the life sciences sector, will lead to significant medical breakthroughs. But, the rising use and sharing of patient data is making its security increasingly important.

Securing patient data will need leadership from the many organisations that make up the NHS. Some of which are small businesses, like care homes and GPs. Here, data security will need the same common-sense approaches as for SMEs. To reinforce this, the CQC are to take patient data as seriously as patient care in their practice inspections.

A new concern is the security of data in social care. Only 0.6 per cent of care homes use NHSmail, the NHS email service. This means they miss out on the valuable associated security for traffic moving in and out of their systems. This is critical as 60 per cent of spam email to the NHS is intercepted daily.

Yet for NHS leaders, this is a new challenge at a time of many other challenges. They need help with bandwidth and capital funding to both exploit the opportunities of data sharing in a secure way. As Mark Sayers, Deputy Director, Cyber and Government Security directive, at the Home Office says “Governments can lead the way, but they cannot deal with cyber threats alone.” A long-term partnership with the private sector for security would enable the NHS to be even more ambitious with data going forward.

Despite the media coverage of May’s WannaCry cyber-attack, the NAO found that no data was stolen or compromised by the attack. This serves as an important reminder that the NHS is capable of meeting the changing challenge of data security.