NHS European Office

Cyber Security


On 6 July 2016 a new Directive concerning measures for a high common level of security of network and information systems (cyber security) across the European Union was adopted by the EU. See the final text here.

What is new?

This could have implications for the NHS as healthcare has been identified as an ‘essential service’. Accordingly, healthcare providers will be required to take “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”.

EU governments must ensure that healthcare organisations are taking appropriate measures to prevent and minimise the impact of cyber security incidents affecting the security of their network and information services used in the provision of their essential services, with a view to the continuity of those services.

Healthcare organisations will also need to notify, without undue delay, the national competent authority of any cyber security incidents that have a significant impact on the security of the services they support.

Healthcare providers' compliance with this legislation will be assessed by their national competent authority. Accordingly, they will be required to supply: 

  • the information necessary to assess the security of their network and information systems (including documented security policies);
  • evidence of the effective implementation of security policies, such as the result of a security audit carried out by the competent authority or a qualified auditor.

Penalties will be laid down by the UK competent authority and will be: “effective, proportionate and dissuasive.” The new EU law will be implemented in the UK by 10 May 2018.

Tips on what healthcare operators can be doing now to prepare:

  • A lot of this chimes with recommendations of Dame Fiona Caldicott’s Review on Data Security, Consent and Opt-outs, so guidance on how to comply with this legislation will most likely be issued by government alongside this package of reforms. 
  • Perform a cyber-security audit and risk analysis – know the threats to your organisation.
  • Think about a response team for cyber incidents 
  • Define a response plan - how are you going to respond to the different types of incidents?
  • Put together a policy that defines the categories of incidents and the response.
  • The root cause of cyber incidents are often related to human error; training and capacity building of staff and contractors is important.

Latest Tweets

Latest Blog Post

The one-click healthcare challenge | Jason Helgerson

18 / 9 / 2017 10.28am

Let’s harness new technology to offer more choice and greater convenience to patients, drawing inspiration from the retail industry's one-click revolution, writes Jason Helgerson.

Why Register?

Great reasons to register with NHS Confederation

  • Personalise your website
    Select topics of interest for recommended content
  • Bookmark useful pages
    Quickly and easily find what you need
  • Comment and recommend
    Rate and share content with colleagues
  • Plus, for our members
    Access member-only resources and tailor member benefits and services

Sounds great, what next?

Register Now

Not now, I will register later

Log In

To book events and access member only content you need to register with us.  This only takes a moment via our registration page. If you have already registered login using your email address and password below.