UK health cyber security strategy to 2030: briefing

Key points

In an increasingly digitised health and social care system, technology and data are critical to providing effective care. Cyber security – that is, the protection of devices, services and networks and the information on them from theft or damage – is an essential enabler of that care, assuring the safety of patients and of people and their families drawing on care in the community (service users).

In secondary care, this includes diagnostic machines, while in adult social care organisations it includes technologies such as digital care records and acoustic monitoring systems. Ensuring cyber security is fit for purpose builds trust, which is vital for innovation.

Some of the current challenges are the same as those faced by other sectors, for example recruiting and retaining a workforce with the right skills, adapting to new technology and moving away from legacy devices. Moreover, the size and diversity of the sector makes it challenging to set standards that can apply to all, which is a critical issue where sensitive and personal data is being shared across organisations.

The pace of growth and development in the digital, data and technology space also makes it challenging to assure new products’ cyber security. Standards-based practices and architectures that can accommodate new technologies will enable the sector to safely benefit from new and developing technology.

As new technology is developed, it can be challenging to monitor and replace older technology as it becomes outdated and more vulnerable to cyber attacks. Investment in newer devices and technology must be seen as an investment, rather than a cost, to assure technology can be used more safely and securely.

In order to help with cyber security issues, the Government has for example, been onboarding devices across the NHS onto Microsoft Defender for Endpoint (MDE), a tool to enable NHS England’s CSOC to spot potential threats, since April 2019. The number of onboarded devices continues to grow, from 1.15 million in April 2019 to 1.67 million in January 2023.

While in 2019, they established the Cyber Associates Network (CAN), a platform to facilitate peer-to-peer learning for healthcare professionals on cyber and to influence new products, services, policies and strategies.

In addressing threats and challenges to build a health and social care system that is resilient to cyber attacks, this strategy sets out 5 pillars that direct the system’s overall approach to cyber security to 2030.

Pillar 1 – focus on the greatest risks and harms

The desired outcomes for pillar 1 by 2030 are:

1. a common understanding of risks and how they may vary is shared across the sector
2. visibility of the attack surface is increased
3. cyber security mitigations are proportionate to the threat and potential harm
4. powers under NIS regulations are clearly understood and used proportionately to address cyber risk and improve resilience of the most critical organisations

Pillar 2 – defend as one

The desired outcomes for pillar 2 by 2030 are:

1. health and social care organisations work in partnership on their cyber security, sharing data, learning and resources to improve sector-wide resilience
2. threat intelligence and detection across the NHS is co-ordinated nationally for rapid response and alerting
3. national teams set clear expectations of leaders and boards on the organisational risk they are held accountable for and implications for the wider sector if those risks are realised
4. leaders and boards make full use of available services to respond to the greatest risks and harms to their organisation

To achieve this, in part, national and regional cyber security teams will provide a health technology assessment and remediation service.

Pillar 3 – people and culture

The desired outcomes for pillar 3 by 2030 are:

1. cyber security is recognised as a vital profession within health and social care
2. the NHS attracts and retains a diverse cyber security workforce
3. a ‘just culture’ for cyber regulation is championed across the system
4. everyone understands their role in ensuring good cyber security and acts accordingly

Pillar 4 – build secure for the future

The desired outcomes for pillar 4 by 2030 are:

1. organisations understand emerging risks and how to manage them
2. the critical supply chain risk is managed and resilience is increased across the critical health and social care supply chain
3. new services, support and standards are secure by design
4. standards, underpinned by the CAF, are clear, understood and aligned

To achieve this, in part, national and regional cyber security teams will develop engagement with their most critical suppliers to assure their cyber security and share guidelines to help organisations more consistently build cyber security into new supplier contracts, including agreements on information sharing in the event of an incident.

5 – exemplary response and recovery

The desired outcome for pillar 5 by 2030 is that national, regional and local responses to a cyber incident minimise the impact of a cyber attack on patient and service user care.

Commitments and next steps

In working towards the vision and aims of this strategy, national cyber security teams will:

• continue to enhance the NHS England CSOC and develop a framework to support local security operations centres – by 2024
• update the DSPT to reflect the CAF, empowering organisations to own their cyber risk – by 2025
• publish a comprehensive and data-led landscape review on the status of cyber security in adult social care, spending at least £15 million over the next 2 years in response to that review – by 2025
• develop a product to map our most critical suppliers, engaging with them through dedicated channels and supply chain summit – by 2024
• publish an implementation plan setting out planned activity for the next 2 to 3 years to support meeting the aims and goals of this strategy – by summer 2023