Integrated care systems must ensure all members have ‘a rehearsed plan’ for responding to and recovering from cyber attacks, the Department of Health and Social Care (DHSC) has said.
Under the Department’s new cyber resilience plans, ICSs will also be expected to develop and fund their own cyber security strategies by 2030.
By delegating ‘important risk decisions’ to its system leaders, national NHS teams will become ‘simultaneously more and less directive’, with a view of uplifting skills and capabilities across the sector.
The Government’s newly launched cyber security strategy for the health and social care sector set out its plan to better protect the NHS’ services from threats and to secure sensitive information, including patient data.
And under the Health and Care Act 2022, ICSs are responsible for bolstering the cyber resilience in their area.
In its plan, the DHSC said that successfully minimising the impact of a cyber incident ‘means routinely exercising cyber responses at national, regional, local and organisational levels, and using lessons learnt to improve incident response processes and practice’.
This would mean that every level of the system must have ‘tested what it would need to do to make sure that its most critical services can still continue’ at an acceptable level.
A senior information security manager for an unnamed ICB was quoted in the report as saying: ‘We work hard to give clarity on processes of who does what in the event of an incident. While cyber problems have been around for a long time, the volume of attacks is increasing and we know we need to invest in resources to mitigate risks, for example improving our back-up processes.
‘We have to educate, continually improve, and learn lessons from each other and from other industries.’
The Government’s new plan will also require ICSs to:
- Build systems and services as cyber secure ‘by design’, and regularly engage with their organisations to ensure compliance
- Identify risks within their system that would affect the local system’s ability to function
- Develop an ‘appropriately resourced and accountable’ cyber security function to manage risk.
Commenting on the plan, Saffron Cordery, deputy chief executive at NHS Providers said: ‘As digital working in the NHS expands, these types of security measures are vital.
‘Many trust leaders have had National Cyber Security Centre board training and are working hard to meet statutory and recommended standards.
‘However, trusts need adequate funding to properly address the growing risk of cyber attacks, which includes updating old and unsupported legacy software.’