The government has announced additional funding for cyber security within the NHS, including a £21m fund to protect major trauma centres from attack.
The announcement is part of its response to a 2016 report, and subsequent consultation, by the National Data guardian, Dame Fiona Caldicott, into data sharing and safety within the health and social care system. It comes two months after the WannaCry ransomware immobilised parts of the NHS across the country.
“The NHS has a long history of safeguarding confidential data,” said health minister Lord O’Shaughnessy. “But with the growing threat of cyber attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS.”
“Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat,” he adds.
The government has agreed to implement security standards from the Caldicott review as well as security recommendations from the Care Quality Commission (CQC). It plans to require greater responsibility for data security at a local level and introduce new training packages for staff.
Parts of the NHS were made vulnerable to the WannaCry attack through continued use of Windows XP, an operating system launched in 2001 that has not received support from Microsoft since 2014. The government says that organisations should move away from, or isolate, any unsupported systems by April 2018.
It also reiterated plans to include patient data management within CQC inspections.
The government response also addresses data-sharing principles which were reviewed by Caldicott in light of the controversy over the care.data proposals that were shelved last year.
It says that it will introduce an opt-out scheme for patients that will apply across health and social care, allowing them to say that their information can only be used for their direct care. Patients will also be able to see who has accessed their summary care record as well as how NHS Digital, which collects patient data, has used it.
From May 2018, the government is also introducing stronger laws to penalise anyone that misuses or attempts to de-anonymise confidential medical information.
However, the British Medical Association (BMA), which represents doctors, has raised issues about the government’s approach to patient medical records.
John Chisholm, chair of the BMA’s medical ethics committee, said that it was concerned that patients will not be able to opt out of having their data sent from their GP to NHS Digital, and that there needs to be protections in place ahead of time so that patients will know how their data could be used.
“If patients don’t have confidence in the system, not only does it damage the doctor–patient relationship, there is also a real risk that some will be put off visiting their GP, which could have serious public health implications,” said Chisholm.
“We are currently in ongoing constructive discussions with the government and hope we can reach an agreement that is in the best interests of patients.”