16 / 1 / 2017 2.56pm
On 6 July 2016 a new Directive concerning measures for a high common level of security of network and information systems (cyber security) across the European Union was adopted by the EU. See the final text here.
What is new?
This could have implications for the NHS as healthcare has been identified as an ‘essential service’. Accordingly, healthcare providers will be required to take “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”.
EU governments must ensure that healthcare organisations are taking appropriate measures to prevent and minimise the impact of cyber security incidents affecting the security of their network and information services used in the provision of their essential services, with a view to the continuity of those services.
Healthcare organisations will also need to notify, without undue delay, the national competent authority of any cyber security incidents that have a significant impact on the security of the services they support.
Healthcare providers' compliance with this legislation will be assessed by their national competent authority. Accordingly, they will be required to supply:
- the information necessary to assess the security of their network and information systems (including documented security policies);
- evidence of the effective implementation of security policies, such as the result of a security audit carried out by the competent authority or a qualified auditor.
Penalties will be laid down by the UK competent authority and will be: “effective, proportionate and dissuasive.” The new EU law will be implemented in the UK by 10 May 2018.
Tips on what healthcare operators can be doing now to prepare:
- A lot of this chimes with recommendations of Dame Fiona Caldicott’s Review on Data Security, Consent and Opt-outs, so guidance on how to comply with this legislation will most likely be issued by government alongside this package of reforms.
- Perform a cyber-security audit and risk analysis – know the threats to your organisation.
- Think about a response team for cyber incidents
- Define a response plan - how are you going to respond to the different types of incidents?
- Put together a policy that defines the categories of incidents and the response.
- The root cause of cyber incidents are often related to human error; training and capacity building of staff and contractors is important.