Cyber Essentials for the Health Sector
As detailed on the Information Commissioners Office website, the health sector continues to account for the most data security incidents. This is due to the combination of the NHS (UK National Health Service) making it mandatory to report incidents, the size of the health sector, and the sensitivity of the data processed.
The health sector handles some of the most sensitive personal data. Data security incidents can lead to extensive detriment and high levels of distress for the data subjects affected. One of the key roles of NHS Digital, formerly Health & Social Care Information Centre, is to provide support and advice to health and care organisations on information and cyber security.
In July 2016 the UK Government Department of Health, National Data Guardian (NDG) published "Review of data security, consent and opt-outs" IASME, with our growing experience of certifying health care organisations, contributed to this report.
The report included recommendations to strengthen security of health and care information including recommendation 4: "All health and social care organisations should provide evidence that they are taking action to improve cyber security, for example through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should be tested in a wider number of GP practices, Trusts and social care settings."
The report also included a case study from one of the organisations certified by IASME, West Midlands Ambulance Service NHS Foundation. Representatives from the foundation commented ‘We view the Cyber Essentials accreditation as an essential technical companion to the NHS Information Governance Toolkit, which focuses upon less technical aspects of wider information security. We are aiming to use the accreditation as a foundation upon which to further enhance our security controls, thereby ensuring the ongoing confidentiality, integrity and availability of our systems and confidential data"
Within the review a number of Leadership Obligations were also detailed. Within Leadership Obligation 3: "Technology: Ensure technology is secure and up-to-date" Data Security Standard 9 is specified: "A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually."
IASME and associated Certification Bodies have certified an increasing number of health organisations of all sizes, from NHS Trusts to Dentists and Care Homes. We use this growing experience to assist you in meeting the cyber security requirements and are happy to discuss any questions you have. Any UK organisation with less than £20m turnover will receive automatic cyber insurance with their Cyber Essentials certification included in the assessment cost of £300 + vat.