Policy paper

A cyber resilient health and adult social care system in England: cyber security strategy to 2030

Published 22 March 2023

This was published under the 2022 to 2024 Sunak Conservative government

Applies to England

Forewords

Foreword from Lord Markham

The government cyber security strategy to 2030 sets out the criticality of building and maintaining our nation’s cyber defences as we look to protect the functions and services on which we all depend. These last few years have underlined the importance of health and social care services that are delivered day in, day out. In an increasingly digitised world, protecting those services from the disruptive impact of a cyber attack, alongside making sure that citizens’ data is protected, has never been more important. In short, the cyber security of our health and social care systems underwrites patient safety. 

Working towards a cyber resilient health and social care sector is a significant challenge. The sector is made up of complex, interdependent systems with different risks and needs. This strategy will shape a common purpose across health and social care against the most critical of those risks. It sets out an approach that will be applicable across health and social care systems including for adult social care, primary care, and our critical supply chain as well as for secondary care. 

Our vision and aims are ambitious and will require engagement at all levels of the health and social care sector. We must build and maintain this engagement in the shared understanding that cyber security is a foundational business need that we must prioritise if we are to ensure patient and service user safety. 

Lord Markham, Parliamentary Under Secretary of State

Foreword from Phil Huggins and Mike Fell

In an increasingly digitised health and social care service, patients and service users remain at the core of our vital work helping create a cyber resilient health and social care sector to 2030. While every health and social care organisation must take responsibility for its own cyber security, with national cyber security teams setting direction and providing central support, we must work as one across the system to further cyber resilience to improve the safety of the people we care for.

Although our cyber defences have improved over the past years and especially since WannaCry in 2017, we know we still have further to go. The 5 pillars in our strategy focus our approach on the most important risks to our most critical systems, while growing our cyber workforce so that we can better tackle threats in the long term.

Our strategy to 2030 will allow us to work flexibly and adaptively in response to a changing world. Our Cyber Futures programme will take the lead, bringing forward important initiatives to make the 5 pillars of the strategy a reality. We are committed to publishing a detailed implementation plan to illustrate the progress.

This strategy and the operations underpinning it directly support and enable better health outcomes. Improved cyber resilience will assure availability of services, protect valuable data, and build patient and service user trust in our systems. This is an ambitious body of work, but working collaboratively across the system we can have a genuine impact on people’s safety and wellbeing in assuring the vast and varied digitised care and support services provided across the sector.

Phil Huggins, National Chief Information Security Officer

Mike Fell, Executive Director of National Cyber Operations

Introduction

Cyber security as a critical factor to people’s safety

In an increasingly digitised health and social care system,[footnote 1] technology and data are critical to providing effective care. Cyber security - that is, the protection of devices, services and networks and the information on them from theft or damage - is an essential enabler of that care, assuring the safety of patients and of people and their families drawing on care in the community (service users).

In secondary care, this technology includes diagnostic machines such as imaging scanners and systems that let hospitals know which beds are free, while in primary care this includes patient booking systems, call and recall facilities, and electronic prescription services. For adult social care organisations, it is technologies such as digital care records and acoustic monitoring systems that are enabling more responsive, joined-up care. All these services - and the many other systems and devices that modern health and social care organisations use to help look after people - rely on good cyber security to ensure a smooth, uninterrupted service.

In England and internationally, there have been instances where cyber attacks have disrupted the running of services, at times with significant financial consequences. With an estimated daily 950,000 general practice appointments, 45,000 major A&E department attendances and 137,000 imaging events recorded, the scale of impact - both direct and indirect - from a cyber attack on the health and social care sector is potentially huge.[footnote 2]

While it is unlikely that a cyber incident would bring down all of the hundreds or even thousands of separate systems supporting direct care, interdependencies between systems mean we must account for at least some degree of cascading risk.

Done right, cyber security not only protects but also builds trust, which is vital to innovation. The Data Saves Lives strategy sets out plans to harness digital efficiency and data to improve outcomes, while maintaining the highest standards of privacy and ethics and taking targeted action to build public trust around how we use data in the NHS. This sits alongside the Plan for Digital Health and Social Care, which sets out a vision and action plan to digitise health and care services and connect them to support integration, using this platform to transform, enabling fundamentally new care models.

Cyber security underwrites public trust in digital services and technologies. This cyber strategy sets out a vision for reducing the cyber security risk to health and social care organisations, protecting patient, service user and staff data, and implementing measures to ensure organisations are able to recover quickly from cyber attacks when they do occur.

Case study: Ireland Health Service Executive ransomware attack

On 14 May 2021, the Health Service Executive (HSE) in Ireland suffered a major ransomware attack which caused 80% of the HSE IT environment to become encrypted,[footnote 3] preventing access to diagnostics and medical records and disrupting healthcare services throughout the country.[footnote 4] Outpatient clinics and healthcare services were cancelled, with medical appointments dropping by up to 80%.[footnote 5] There was a significant impact on radiotherapy services, with cessation of radiation treatment across the 5 HSE centres.[footnote 6]

Financial implications involved costs associated with the attack, recovery and the rebuilding of security systems. HSE incurred revenue expenditure of €37 million and capital expenditure of €14 million in 2021. Although the full cost of the attack on the HSE has not been quantified, it is estimated to be a cost of almost €657 million over 7 years to implement cyber security improvements.[footnote 7]

A unified approach for a decentralised sector

Different parts of the system have different roles to play in cyber security:

  • health and social care organisations remain responsible for their own cyber security

  • national cyber security teams are responsible for setting direction and providing central support

  • following the statutory launch of integrated care systems (ICSs) on 1 July 2022, ICSs are responsible for bolstering the cyber resilience across their area

These responsibilities extend to the social care sector, where investment is being made to build cyber resilience, and to suppliers across health and social care.

We must, however, be clear that a unified and collaborative approach is key to improving sector-wide cyber security. This approach will enable this largely decentralised sector to achieve economies of scale, share learning and ensure a solid minimum level of security to ‘defend as one’ across the entire system.

The implications of disruption in the digital space, be it a cyber attack or failed systems due to overheating, are often agnostic of the cause. Cyber teams must continue working with emergency response teams to align processes and account for broader risks and requirements. This includes ensuring mitigations or alternatives are in place for any periods of time that cyber systems are not available, whatever the reason.

Working closely with staff responsible for information governance, including on training and legal compliance will be essential in protecting patient and service user data. The NHS England information governance guidance will support NHS staff to continue working together to share information safely.

While health and care is a devolved matter, the UK as a whole shares the vision set out in the Government Cyber Security Strategy 2022 to 2030. We will continue to work collaboratively with the devolved governments towards a more cyber resilient UK-wide health and social care system.

Understanding: the health and social care system

When we refer to the health and social care system, we are referring to the organisations, people and actions whose primary intent is to provide services to support health and wellbeing. This includes:

  • DHSC teams

  • NHS primary and secondary care organisations and their related integrated care systems (ICSs), integrated care boards (ICBs), integrated care partnerships (ICPs), and the local authorities they work with

  • the wide range of activities across adult social care to help people who are older or living with disability or illness to live independently and stay well and safe

  • independent providers across both health and social care

  • the suppliers who provide goods and services across the health and social care sector

Individual organisations across health and social care are part of multiple systems, some of which interact, some of which are stand-alone, but which together make up the health and social care system. This can be understood as a complex adaptive system, defined as a dynamic network of agents acting in parallel, constantly reacting to what others are doing, which in turn influences behaviour and the network as a whole.[footnote 8]

For cyber security, it is especially important to understand the complex and adaptive nature of the health and social care system to understand how strengths and vulnerabilities map across different organisations.

Vision

This strategy envisages a health and social care sector that is resilient to cyber attack, in turn improving the safety of patients and service users through good cyber security. Organisations across the sector will be able to better protect themselves so that:

  • organisations are better able to manage their cyber risk
  • organisations are better able to protect their patient, service user and staff data
  • organisations can more quickly respond to and recover from a cyber attack
  • people’s trust in the sector’s digital systems is increased, so technological innovations can be applied with confidence

To meet this vision, this strategy aims for all health and social care organisations to achieve cyber resilience to known vulnerabilities and attack methods proportionate to their risk profile, with all operators of essential services (OESs) in the sector significantly hardened to cyber attack, no later than 2030.

Understanding: cyber resilience

The Department for Science, Innovation and Technology’s cyber resilience policy defines cyber resilience as “the ability for organisations to prepare for, respond to and recover from cyber attacks and security breaches.” It details that “cyber resilience is key to operational resilience and business continuity.”

For health and social care, this means preventing, mitigating and recovering quickly from any cyber incident that may impact on the sector’s ability to provide continued care.

Five pillars of the strategy

Five pillars, which have been developed collaboratively across the sector, will support every organisation in meeting this vision for a cyber-resilient health and social care sector, complementing one another in setting out the approach. They will enable a focus on the changes organisations and teams across health and social care can prioritise to improve cyber security over the long term.

The 5 pillars are:

  1. focus on the greatest risks and harms
  2. defend as one
  3. people and culture
  4. build secure for the future
  5. exemplary response and recovery

These 5 pillars will be supported by a national implementation plan which will detail activities and define metrics to build and measure resilience over the next 2 to 3 years.

This short to medium term implementation plan will be based on our current assumptions around cyber security to 2030 (set out below under ‘current and emerging threats’). National cyber security teams will keep those assumptions and where we place the greatest emphasis under review, enabling us to address a range of different future scenarios to 2030. To that end, we will review and update our implementation plan at least every 2 to 3 years to ensure we remain responsive to the changing world around us, complementing this plan with a roadmap setting out priority services and resources to 2030.

The Cyber Assessment Framework as a measure

The pillars and this strategy’s implementation plan are underpinned by the Cyber Assessment Framework (CAF), which is the National Cyber Security Centre’s (NCSC) standard, designed for organisations responsible for vitally important services and activities.

This is in line with the Government Cyber Security Strategy 2022 to 2030, which sets out that adopting the CAF across government will help build a foundation of organisation-level resilience and facilitate alignment of frameworks, ensuring consistency of reporting on risk levels.

The CAF will help national health and social care teams to align policy and strategy with key risks and priorities, while tracking progress in working towards sector-wide cyber resilience. Adopting this as the common framework will enable organisations at all levels to understand what is expected of them, while in turn allowing them the autonomy to decide how best to manage their cyber risk proportionately in meeting CAF objectives.

The CAF’s 4 objectives against which to measure progress are:

  1. manage security risk, ensuring appropriate structures, policies and processes are in place to manage risks to systems supporting essential functions

  2. protect against cyber attack, ensuring proportionate measures are in place to protect systems supporting essential functions from cyber attack

  3. detect cyber security events, ensuring capabilities effectively defend and detect cyber security events with potential to affect essential functions

  4. minimise the impact of cyber security incidents, ensuring capabilities exist to minimise adverse impact of a cyber security incident on the operation of essential functions

Current and emerging threats

Threats to England’s health and social care sector

National cyber security teams work in close partnership across departments and systems and with the NCSC to maintain a clear understanding of the cyber security threats we face. We understand that threats may change over the course of this strategy to 2030 and we will adapt our response accordingly within this flexible strategic approach.

The threat we face

The health and social care sector resists cyber threats every day, including:

  • phishing and other malicious emails
  • automated scanning for common software vulnerabilities
  • attempted fraud

Phishing and malware are recognised as low sophistication ‘commodity attacks’, easily usable by a wide range of cyber criminals.

See NCSC guidance to better understand phishing, malware and ransomware.

The most significant cyber threat the sector faces is ransomware. This is used in profit-seeking attacks, very often staged by organised criminal groups, but the increasing proliferation and commercial availability of ‘ransomware as a service’ means that attacks are not limited to sophisticated groups. (See NCSC Annual Review 2022.)

Ransomware attacks can cause complete loss of clinical and administrative IT systems, resulting in significant disruption to health and social care services such as postponed operations, diverted ambulances and forcing staff to use paper-based contingency measures without access to electronic health records. Research by the US Cybersecurity and Infrastructure Security Agency (CISA) showed that US hospitals that had suffered a ransomware attack were more likely to suffer worse health outcomes, including increased mortality.

As well as disrupting services, ransomware attacks globally are increasingly seen to include data theft and extortion with a threat of data leaks, which in health and social care could lead to significant distress and potential harm for patients, service users and staff.

Ransomware and other cyber crime is also a threat to third party suppliers, an attack on whom can cause as much or more damage and disruption as an attack directly on a health or care organisation.

We must also consider other, less prevalent, threats alongside the threat from commodity attacks like the ones described above. This might include state actors seeking to access sensitive information, or people working in or near to the health and social care sector seeking to misuse their privileged access.

All these threats pose risk not just to patient and staff safety, but also to public trust in a health and social care system that can and must safeguard people’s data. It is crucial that the sector continues to adapt and to improve its cyber resilience against the evolving threats, protecting itself and retaining public confidence.

Threat model

The cyber threat model for health and social care has historically focused resource to protect against commodity, high-volume attacks - the type experienced by any organisation and any device connected to the internet - but over the last 3 years national cyber security teams have taken steps over and above that model, where needed, to respond to more advanced threats. As the threat changes, we need to keep our threat model under review to ensure our future approach continues to be effective, make best use of resources and enable local organisations to respond to their own risks.  

Our threat model for the sector overall focuses on opportunistic attacks by capable and motivated profit-seeking actors, willing and able to exploit any vulnerable organisation, typically deploying ransomware. Where we consider that parts of the sector may face a different or more targeted type of threat, we will engage with them directly.  

We recognise that the sector consists of a wide range of organisations of different sizes and resources, and it is not reasonable to ask every organisation to have the same level of defensive capability across all its estate. We do not expect every organisation to defend itself against targeted attacks by determined, highly sophisticated nation state-type actors, but we know that getting the basics right is a good defence against many capable attackers.

We will use CAF profiles, implemented through the Data Security and Protection Toolkit (DSPT) - the online tool through which health and social care organisations assess their cyber security - to set minimum expectations for different types of organisations. We will regularly review and update those expectations in response to future changes in threat.

Case study: WannaCry ransomware attack

In May 2017, the global WannaCry ransomware attack deployed encryption malware to over 200,000 computers in over 100 countries, impacting those with vulnerable operating systems.[footnote 9] Although this attack did not specifically target the UK health sector, it affected the NHS in England and Scotland as many NHS devices - the majority of which were running a supported but unpatched operating system - were vulnerable to this untargeted attack. (Unpatched means ‘known and unfixed security weaknesses’.)

At least 34% of trusts in England were disrupted, leading to thousands of cancelled appointments and operations. In 5 A&E departments, patients had to travel further to be treated. A cyber researcher was able to stop the attack by activating a ‘kill switch’.[footnote 10] Even so, WannaCry was the largest attack to affect the NHS with an estimated cost to the NHS of £20 million during the outbreak and an additional £72 million to restore data and systems.[footnote 11]

Current state

The health and social care sector has made good progress in the face of these threats and, by making use of the increasing cyber defence and response mechanisms at its disposal, the sector is much better protected now than in 2017 from untargeted attack. However, there remain important challenges necessitating continued cyber security improvements across the sector.

Some of these challenges are the same as those faced by other sectors, for example recruiting and retaining a workforce with the right skills, adapting to new technology and moving away from legacy devices.

Others are particular to the health and social care sector, such as the size and complexity of the system, its geographic distribution across the nation and the layered nature of its governance. We must seek to shape an approach that works for health and social care while maintaining a link to the direction set by the government cyber security strategy and by the CAF.

Challenges

High operational pressures

In a sector with varying working environments and high operational demand with many systems required to run 24/7, it can be challenging to prioritise finite resources to address competing risks, priorities and pressures. This challenge has been exacerbated by the unprecedented pressures placed on healthcare systems by the COVID-19 pandemic. We must ensure that organisations have the necessary insights and understanding to appropriately dedicate the right types of funding at the right time to cyber security, taking into account competing priorities and challenging work environments.

Large, complex and autonomous sector

The size and diversity of the sector makes it challenging to set standards that can apply to all, which is a critical issue where sensitive and personal data is being shared across organisations. Some parts, such as primary, community and adult social care, face distinctions which require a balanced approach. We must account for specific needs and varying cyber capabilities while defending as one.

Supply chain vulnerabilities

The health and social care supply chain is complex because providers each use many suppliers. These suppliers in turn have their own supply chains, creating multiple layers of risk. This complexity makes it challenging to assure against supply chain risk, where our central visibility has less coverage, and where there is likely wide variance in cyber maturity. We must work with colleagues in procurement and supply chain to ensure that suppliers meet our cyber security standards.

Unclear accountability and ability to influence

Where accountability for cyber risk is unclear, health and social care leaders may find it challenging to dedicate time and resources to their organisation’s cyber security. We must be clear on the accountability that boards and leaders have for their organisations’ cyber security and the responsibility that cyber professionals have for delivering in this space.

Limited cyber workforce

A UK-wide shortfall of cyber professionals makes it challenging to hire and retain the experts we need to support leaders and staff in improving their organisations’ cyber security. A comprehensive hiring, training and retention plan will be crucial to increasing the cyber workforce across health and social care.

New digital, data and technology

The pace of growth and development in the digital, data and technology space makes it challenging to assure new products’ cyber security. Standards-based practices and architectures that can accommodate new technologies will enable the sector to safely benefit from new and developing technology.

Legacy technology

As new technology is developed, it can be challenging to monitor and replace older technology as it becomes outdated and more vulnerable to cyber attacks. We must ensure that such a large, busy and diverse sector is able to keep ahead of outdated technology by promoting practices and architectures that support redundancy, maintenance and replacement of individual parts. This approach should be seen as an investment, rather than a cost, to assure technology can be used more safely and securely.

Growing and developing capabilities

The sector has a growing set of capabilities that it can leverage in its cyber defence and response: 

  • we now have a Cyber Security Operations Centre (CSOC) monitoring local systems throughout the country for the first signs of cyber vulnerabilities. This was bolstered in response to COVID-19 themed threats to include central offers of support including firewalls, over 170 secure back-up reviews and bespoke technical remediation

  • national teams have been onboarding devices across the NHS onto Microsoft Defender for Endpoint (MDE), a tool to enable NHS England’s CSOC to spot potential threats, since April 2019. The number of onboarded devices continues to grow, from 1.15 million in April 2019 to 1.67 million in January 2023
  • in partnership with adult social care representatives and providers, we have raised cyber awareness, understanding and basic cyber skills across the adult social care sector. Compliance in the sector against our DSPT cyber standards has risen from under 5% in June 2019 to over 50% by the end of 2022
  • in 2019 we established the Cyber Associates Network (CAN), a platform to facilitate peer-to-peer learning for healthcare professionals on cyber and to influence new products, services, policies and strategies
  • with the introduction of The Network and Information Systems (NIS) Regulations 2018, we have used legal measures to boost the level of security (both cyber and physical) of network and information systems underpinning the provision of essential services
  • following an attack in August 2022 on a health and social care supplier, we have launched work to build visibility and improve assurance of our critical supply chain. This includes trialling assurance tools, building an engagement plan, and developing criticality criteria
  • we are delivering emerging analysis on the impacts of cyber incidents on the sector, allowing us to evidence the importance of cyber security investments including in preventing patient mortalities
  • 181 secure back-up reviews were completed from the product’s launch in the summer of 2020 to February 2023, with £21.8 million capital distributed to assist with back-up capabilities
  • we continue to set out cyber security guidance and objectives for organisation and ICB-level chief executive and executive directors, supporting them as they engage on the topic
  • we continue to work closely with partners across government, including the NCSC and the Cabinet Office, to ensure a co-ordinated approach on cyber security

Approach: the 5 pillars

In addressing these threats and challenges to build a health and social care system that is resilient to cyber attacks, this strategy sets out 5 pillars that direct the system’s overall approach to cyber security to 2030. This work will provide a strong base for 2030 and beyond, in recognition that achieving the transformation that we want to see in the cyber security of health and social care will require cumulative efforts over the coming years. This will especially be the case under the ‘people and culture’ strand as we look to grow a cyber workforce and to embed a ‘just culture’ around cyber security (see more on this below). Despite these challenges, we will look to achieve each outcome as soon as reasonably and feasibly possible.

These pillars will apply across all the health and social care system as we work to increase alignment and work together to understand patterns, solve problems and plan services. We should come together to work at scale where this is most effective, but we recognise that achieving this goal will require a risk-based approach to local operational problems with differentiated responses to address specific challenges across the system.

In adult social care in particular, this strategy builds on success through our community-led approach for cyber security, Better Security, Better Care. Working with the sector, and in lockstep with its digital journey, we will continue to address the sector’s specific challenges and respecting its organisations’ independence and diversity. Even so, we can go further by mainstreaming adult social care across some of our central cyber functions in partnership with our community-led approach.

For primary care, this strategy will support the aims outlined in the NHS Long Term Plan of ensuring that digitally-enabled primary and outpatient care become mainstream across the NHS. Noting from the Fuller stocktake report that primary care has wide variation in digital maturity and transformation, distinct consideration will be required in addressing cyber vulnerabilities across primary care.

Understanding: just culture

The National Data Guardian review of data security, consent and opt-outs sets out the importance of encouraging staff to speak up to understand a situation and to react swiftly and appropriately to a potential threat. This approach is in line with a just culture.

In the context of cyber, this means supporting a culture of fairness, openness and learning when addressing identified cyber vulnerabilities, events or attacks so that staff feel confident to speak up rather than fearing blame. Teams must take a considered approach to creating a just culture to ensure cyber vulnerabilities are not, in the spirit of openness, being unintentionally highlighted to potential aggressors.

NHS England’s ‘A just culture guide’ supports conversations between managers when identifying support or intervention required for a staff member involved in a patient safety incident and may support understanding and adoption of a just culture.

Defining roles

National and regional cyber security teams

This means teams employed nationally and regionally to work on system-wide cyber security, including NHS England’s Cyber Operations team and NHS Transformation Directorate’s Joint Cyber Unit. The pillars below set out national teams’ commitments which will be delivered with the support of regional teams.

Integrated care systems

This means those working across a partnership of organisations that come together to plan and deliver joined-up health and social care services in their area.

Each of the 42 ICSs has an ICB, a statutory NHS organisation responsible for developing a plan for meeting the health needs of the population, managing the NHS budget and arranging for the provision of health services in the ICS area. Each ICS also has an integrated care partnership (ICP), a statutory committee jointly formed between the ICB and all upper-tier local authorities within the ICS area, bringing together a broad alliance of partners concerned with improving the care, health and wellbeing of the population, with membership determined locally.

Health and social care leaders

This means those with oversight responsibilities of health and social care organisations, from local leadership teams to boards and their directors. Health and social care leaders are responsible for the cyber risk held by their organisation and will be held accountable in line with national performance frameworks.

Cyber workforce

This means anyone employed to focus or lead on cyber, from chief information security officers to cyber security analysts and cyber apprentices. In some smaller organisations, the cyber lead role may cross over with IT or information governance responsibilities.

Third party suppliers

This means any organisation providing goods or services to the health and social care sector.

All employees

This means everyone working in or with the health and social care system, playing a part in safely delivering care to patients and service users.

Pillar 1: focus on the greatest risks and harms

We know that the health and social care system is critical for the health and wellbeing of the public. We also know that there are particular organisations, assets and services at national, regional and local levels that would cause especially significant harm if they were disrupted.

The health sector is one of multiple sectors considered to require a high level of security of network and information systems. The Network and Information Systems (NIS) Regulations seek to ensure that essential services (services essential for the maintenance of critical societal or economic activities) such as those in the sector have adequate data and cyber security measures in place. NHS trusts and foundation trusts, ICBs and certain independent providers are currently designated operators of essential services (OESs) in England.

We must be considered in our cyber security investments, seeking to understand the most critical parts of the system whose disruption would cause the greatest harm and ensuring they are proportionately protected.

Desired outcomes for pillar 1

The desired outcomes for pillar 1 by 2030 are:

  1. a common understanding of risks and how they may vary is shared across the sector
  2. visibility of the attack surface is increased
  3. cyber security mitigations are proportionate to the threat and potential harm
  4. powers under NIS regulations are clearly understood and used proportionately to address cyber risk and improve resilience of the most critical organisations

How this will be achieved

To achieve this, national and regional cyber security teams will:

  • create a common language for measuring and recording cyber risk
  • develop and improve national capabilities to maximise sharing of information, services and products across the sector
  • gather data using national systems to build a system-wide threat picture, setting out proportionate mitigations for key risks and harms
  • deliver analysis to better quantify patient and service user harm caused by cyber incidents
  • regularly review standards to match changing risk profiles, including in the context of broader corporate risk management
  • set clear minimum standards for areas identified as key risks, including publishing information under NIS regulations and other developments in the regulatory landscape, including any changes in the Health and Care Act
  • perform a review of our implementation of NIS in the health sector, ensuring that essential services are adequately covered, and embracing opportunities to use learnings from regulatory intervention to improve resilience more widely

ICSs will:

  • identify and record risks within their ICS, including supplier cyber risks, that would affect the local system’s ability to function
  • engage with a plan at ICS level to mitigate risks, invest and review progress
  • ensure cyber risk is reviewed as part of broader corporate risk management
  • ensure providers maintain an understanding of their suppliers’ cyber security controls and risks

This will support leaders to:

  • understand and review the most critical parts to their systems and the risks to them
  • develop and engage with a plan to mitigate these risks, prioritising and managing this as appropriate

This will support cyber professionals to:

  • identify the greatest risks and harms specific to their organisation
  • support leaders and staff in understanding the greatest risks and harms
  • collect and feed in data to inform the system-wide risk picture
  • understand the security risk posed by the supply chain

User study: chief information security officer, community trust

We’ve got some very focused cyber policies in our trust. For example, if a machine is not seen for a month on the network, it’s not allowed to re-join without intervention.

Within those policies, there’s a whole suite of cyber protection in terms of how we manage changing risk across the whole estate. In cyber, you cannot afford to sit still - this is the key message.

Pillar 2: defend as one

The NHS has, in places, taken advantage of its huge scale to great effect, for example by establishing the NHS England CSOC and in NHS-wide deals for cutting-edge security technologies.

However, we can and must do much more to use the size and interdependencies of the sector to its advantage and to keep pace with the evolving cyber criminals we know are targeting health and social care. This includes sharing learning to uplift skills and capabilities across all of health and social care, and collating data which can build a better understanding of the sector-wide threat picture. We must look at how to leverage NHS capability, technologies and scale in a way which can also improve the cyber-resilience environment for the wider sector.

Health and social care must be better integrated in its overall approach, with stronger direction from national teams and centralised platforms and services to avoid silos and duplicated efforts. Organisations must, in parallel, be allowed greater autonomy in deciding how they implement strategic direction, standards and services according to their needs.

This means national teams becoming simultaneously more and less directive, enforcing the controls that we know will have the biggest impact on improving sector-wide cyber security, while delegating important risk decisions to system leaders, who have the local knowledge and context to make better risk decisions about their organisations. This will enable a differentiated approach where appropriate, including in addressing cyber security in adult social care.

Desired outcomes for pillar 2

The desired outcomes for pillar 2 by 2030 are:

  1. health and social care organisations work in partnership on their cyber security, sharing data, learning and resources to improve sector-wide resilience
  2. threat intelligence and detection across the NHS is co-ordinated nationally for rapid response and alerting
  3. national teams set clear expectations of leaders and boards on the organisational risk they are held accountable for and implications for the wider sector if those risks are realised
  4. leaders and boards make full use of available services to respond to the greatest risks and harms to their organisation

How this will be achieved

To achieve this, national and regional cyber security teams will:

  • make clear roles and accountabilities to cyber risk across the sector
  • collaborate with partners across government, the care sector, commercial third parties and academia as well as across local organisations to ensure alignment and share learning
  • provide central support to cyber security initiatives aligned with national and government priorities
  • provide and build on NHS-wide cyber security monitoring including via the CSOC, building in elements of automation where it is safe and possible to do so
  • provide a health technology assessment and remediation service

ICSs will:

  • create an ICS-wide cyber security strategy to drive security across the system
  • allocate funding to deliver the strategy, establishing governance to review and align plans and ensuring member and wider partner involvement
  • align with agreed cyber security standards when using existing and new cross-organisational systems

This will support leaders to:

  • decide where investment should be committed on the basis of local risk understanding
  • support the setting up and running of cross-organisational security monitoring

This will support cyber professionals to:

  • minimise the impact of cyber events through collaboration with national cyber teams
  • support leaders in deciding how best to spend national capital funding to improve cyber security
  • implement cyber security improvement through alignment with national cyber teams’ best practice and remediation advice

User study: senior information security manager, ambulance trust

DSPT provides a linchpin to our board members - we’d be lost without having that as leverage with our senior leadership team.

We check the CAN every day as a resource that we can share; it’s important to help us feel we’re not alone and working as a team. We stay in close touch with our regional lead who helps us know what funding is available, and who recently helped us use funding to implement privileged access management controls.

Pillar 3: people and culture

Managing cyber risk is a team effort; it is not something that can be done by national teams or by local cyber experts alone. It is essential that leaders across all organisations prioritise ensuring their staff are equipped with the skills and resources to address the cyber threat at all levels. A ‘just culture’ of learning and collaboration will be essential in fostering this understanding and ownership across the system, meaning staff are supported to be open about mistakes so that lessons can be learnt, and errors not repeated.

To achieve cyber resilience, we need to substantially increase the numbers and expertise of cyber professionals working at national, regional and local levels. This is a long-term challenge which will begin with hiring and training programmes, forging cyber career pathways and presenting health and social care as a rewarding place to pursue a career in cyber. National teams will be dedicating particular attention to bringing forward a comprehensive plan to deliver this.

As well as professional training for a developing cyber workforce, we must offer relevant cyber basics training to the general health and social care workforce, as well as board and senior information risk owner-level training. Experts must make sure they are talking about cyber risk in terms that others can understand, especially bringing out the relevance in terms of patient and service user harm.

We will seek to extend or mirror how we work in the NHS and healthcare to adult social care, including as we grow the system-wide cyber workforce, while respecting the differences, independence and unique challenges this sector and its workforce faces.

Desired outcomes for pillar 3

The desired outcomes for pillar 3 by 2030 are:

  1. cyber security is recognised as a vital profession within health and social care
  2. the NHS attracts and retains a diverse cyber security workforce
  3. a ‘just culture’ for cyber regulation is championed across the system
  4. everyone understands their role in ensuring good cyber security and acts accordingly

How this will be achieved

To achieve this, national and regional cyber security teams will:

  • clearly identify roles and responsibilities to manage cyber risk, making clear that cyber security is essential to patient and service user safety
  • embed cyber security decisions into multi-disciplinary national and regional forums to ensure a holistic cyber security culture
  • deliver on a plan to grow the cyber workforce and embed a cyber profession across both the health and social care sectors, including in developing career pathways for cyber
  • ensure the right cyber basics training and guidance is available to all
  • build on a community of shared learning and collaboration through the CAN and the new digital social care website
  • lead by example in implementing a ‘just culture’ at national level in approaching any identified cyber vulnerabilities

ICSs will:

  • develop an appropriately resourced and accountable cyber security function to manage cyber risk
  • develop strategies to recruit and maintain an adequate cyber support function through a combination of ICS and organisation resource
  • embed cyber security decisions into multi-disciplinary forums across the ICS to ensure a holistic cyber security culture with the support of the ICP
  • encourage collaboration across organisations to share good practice and address deficiencies, supported by the ICP highlighting where coordination is needed and holding partners to account on delivering key priorities
  • lead by example in implementing a ‘just culture’ at ICS level in approaching any identified cyber vulnerabilities

This will support leaders to:

  • take ownership of cyber security decisions for their organisation
  • develop and promote a cyber profession within their organisation
  • engage in planning to hire, train and retain cyber professionals within their organisation
  • lead by example and influence a ‘just culture’ where people feel empowered to support, learn, question and challenge
  • encourage staff to collaborate across teams and organisations on cyber security

This will support cyber professionals to:

  • support leaders in making cyber security decisions for their organisation, talking about cyber risk in terms that non-technical leaders can understand
  • engage with the hiring, onboarding and training of new cyber staff
  • lead on fostering a ‘just culture’ of learning and improvement for all in their organisation on cyber security
  • feed into plans for cyber profession development pathways
  • collaborate with cyber professionals across teams and organisations on cyber security, sharing learning and support

This will support all employees to:

  • understand the importance of following the right cyber security practices as part of their routine work, contributing to improving their organisation’s overall cyber security
  • support any direct reports to follow the right security practices as part of their routine work

User study: cyber security engineer, pharmacy

Colleagues across our pharmacy have regular mandatory training and we run ‘war’ games to validate that training where we create a mock phishing email and get people to click it. Everyone in the organisation has cyber security training, from pickers in the distribution centre though to the executive board, and we work to ensure the right level of training for each individual.

It only takes one person to click on a phishing email, so it’s accidental, not always malicious. That’s where our education piece comes in, making sure we take responsibility for giving everyone the right training.

Pillar 4: build secure for the future

The health and social care system was not built with cyber security in mind, in terms of its organisational structures or its technology. This has exacerbated many of the sector’s biggest current security vulnerabilities.

As we build the health and social care system of the future, we have the opportunity to redesign these structures and technologies with security at their core. This means engaging early with emerging technology, setting standards for how it is built and implemented across the health and social care system. It also means ensuring security is a foundational consideration as new governance is established, for instance in ICSs.

The health and social care supply chain must become a key consideration as we build a more secure health and social care system, with cyber security at the fore, from procurement to contract management.

Desired outcomes for pillar 4

The desired outcomes for pillar 4 by 2030 are:

  1. organisations understand emerging risks and how to manage them
  2. the critical supply chain risk is managed and resilience is increased across the critical health and social care supply chain
  3. new services, support and standards are secure by design
  4. standards, underpinned by the CAF, are clear, understood and aligned

How this will be achieved

To achieve this, national and regional cyber security teams will:

  • work flexibly to adapt as new threats and requirements emerge, including developing horizon-scanning functions to anticipate future threats and opportunities
  • develop engagement with our most critical suppliers, not limited to software providers, to assure their cyber security
  • develop pathways to improve communication with and across critical suppliers when responding to a cyber event or vulnerability
  • share guidelines to help organisations more consistently build cyber security into new supplier contracts, including agreements on information sharing in the event of an incident
  • embed the CAF into the DSPT, making the CAF the principal cyber standard organisations across the sector are held to and working with the Care Quality Commission (CQC) to ensure organisations are compliant
  • work collaboratively with local government to ensure CAF appropriately incorporates DSPT requirements for councils and their social care responsibilities
  • set out minimum expectations for IT lifecycle management across health and provide secure architecture patterns
  • empower organisations across the system to build their cyber security in the way that works for them, while being clear on mandated standards and requirements
  • identify and engage with teams and organisations embedding new cross-organisational technology to ensure cyber security is a consideration
  • provide clarity on forthcoming cyber security guidance and policy

ICSs will:

  • build systems and services cyber secure by design, including engaging suppliers on their cyber security in alignment with national engagement
  • regularly engage organisations on compliance with standards and frameworks
  • develop a cyber security programme underpinning the objectives of the strategy and outline milestones and metrics

This will support leaders to:

  • keep an active and updated list of critical suppliers and their cyber security status
  • engage with objectives, guidance and standards set by national teams
  • understand accountabilities under NIS regulations
  • make use of architecture patterns to include security in all technology and structural changes within their organisation
  • ensure budgets account for important system updates and back-ups

This will support cyber professionals to:

  • work with their organisation’s most critical suppliers to support them in assuring their cyber security
  • advise leaders on implementing architecture patterns to structural and technical changes, leading on implementation
  • ensure design and development of systems adhere to security architecture designs and standards
  • routinely submit self-assessments of their organisation’s cyber security
  • engage with teams and organisations embedding new technology within their organisation, supporting them to apply appropriate cyber security measures
  • refer to guidance such as the NCSC’s supply chain security guidance, flagging resources to leaders and staff as appropriate

User study: head of information governance, care provider

Our supplier procurement processes have cyber requirements, such as Cyber Essentials Plus, baked in. We feel it is really important to have open dialogue - not interfering but offering help and support. We are keen not to have surprises and want to work with suppliers if they have an incident, hence the open dialogue.

We also look at suppliers which are likely to have systems or devices going out of support and work with them to mitigate the risk.

Pillar 5: exemplary response and recovery

We know that in the modern world, cyber attacks are a case of ‘when, not if’, and the health and social care system is no exception. This means that we must ensure that every organisation across the system is equipped to minimise both the impact of a cyber incident and the time it takes to recover from it.

To achieve this goal, national teams must develop overarching abilities including through the NHS England CSOC to respond to and support recovery from incidents, and use this expertise to promote best practice to the organisations. It also means routinely exercising cyber responses at national, regional, local and organisational levels, and using lessons learnt to improve incident response processes and practice.

We must all focus on business continuity, making sure that at every level the system knows and has tested what it would need to do to make sure that its most critical services can still continue at a pre-agreed, acceptable level in the event of a cyber attack. Leaders at every level have a responsibility to ensure that this is the case for all areas under their leadership.

Desired outcome for pillar 5

The desired outcome for pillar 5 by 2030 is that national, regional and local responses to a cyber incident minimise the impact of a cyber attack on patient and service user care.

How this will be achieved

To achieve this, national and regional cyber security teams will:

  • publish expectations for incident response and reporting
  • lead on national incident response ‘dry run’ exercising, applying and developing plans for responding to and recovering from, a cyber attack
  • work with the NCSC to manage the technical response to a sector-wide attack
  • where appropriate, deploy Cyber Security Incident Response team services to support local organisations in the event of a cyber attack
  • investigate and report on ‘lessons learnt’ from cyber events to drive improvements, directing remediation activity as appropriate from findings
  • develop national resilience with the impact of loss or unavailability of critical national systems understood and mitigations agreed
  • work with national and regional emergency response and preparedness teams to feed cyber response and recovery planning into broader response arrangements

ICSs will:

  • outline responsibilities and expectations of member organisations for response and recovery, as well as for a central accountable function
  • ensure the ICS and all members have a rehearsed plan for responding to, managing system downtime during, and recovering from a cyber attack
  • engage with and understand outcomes from dry-run exercising and post-incident reviews, identifying and responding to common themes for their ICS
  • lead on ICS-wide incident response ‘dry run’ exercising
  • develop central ICS resilience with the impact of loss or unavailability of critical ICS-wide systems understood and mitigations agreed

This will support leaders to:

  • ensure their organisation has a rehearsed plan for responding to and recovering from a cyber attack
  • engage with and understand outcomes from ‘lessons learnt’ from dry-run exercising and post-incident review
  • engage with national guidance to understand their responsibilities and support available in the event of a cyber event

This will support cyber professionals to:

  • lead on embedding a rehearsed plan for responding to and recovering from a cyber attack in their organisation
  • lead on organisation-wide incident response ‘dry run’ exercising
  • lead on implementing comprehensive and robust processes
  • actively monitor their organisation’s systems for cyber events, flagging any concerns as appropriate

User study: senior information security manager, ICB

We work hard to give clarity on processes of who does what in the event of an incident. While cyber problems have been around for a long time, the volume of attacks is increasing and we know we need to invest in resources to mitigate risks, for example improving our back-up processes.

We have to educate, continually improve, and learn lessons from each other and from other industries.

Measuring progress to cyber resilience

All the above commitments, expectations and outcomes together mean a health and social care sector that is resilient to cyber attack by 2030, ultimately making patients and service users safer and better cared for.

This vision for a health and social care sector that is resilient to cyber attack and its progress under the 5 pillars will be monitored for individual organisations using the DSPT and related CAF profiles. This will both demonstrate the successful impact of the strategy and highlight areas where particular focus is required.

Broader metrics, including key performance indicators (KPIs), will be necessary to understand sector-wide progress in building cyber resilience. Tracking metrics in this way will help drive continuous improvement, understand cyber maturity across the system and enable the rewarding of success in the spirit of a ‘just culture.’

Metrics will be understood through baselining of sector cyber maturity and defined in the implementation plan to follow this strategy.

Commitments and next steps

Publishing this strategy is one step to building cyber security resilience that can help keep patients and service users safe. As we work to deliver against the commitments we have made in this strategy, we will engage with organisations across health and social care through varying programmes and platforms.

In working towards the vision and aims of this strategy, national cyber security teams will: 

  • continue to enhance the NHS England CSOC and develop a framework to support local security operations centres - by 2024
  • update the DSPT to reflect the CAF, empowering organisations to own their cyber risk - by 2025
  • provide funding for local cyber resource with national training support - by 2025
  • publish a comprehensive and data-led landscape review on the status of cyber security in adult social care, spending at least £15 million over the next 2 years in response to that review - by 2025
  • develop a product to map our most critical suppliers, engaging with them through dedicated channels and supply chain summit - by 2024
  • publish an implementation plan setting out planned activity for the next 2 to 3 years to support meeting the aims and goals of this strategy - by summer 2023
  1. References to health and social care do not include children’s social care, which is covered by the Department for Education. 

  2. Adapted estimates from Appointments in General Practice ( NHS Digital), A&E Attendances and Emergency Admissions (NHS England) and Diagnostic Imaging Dataset (NHS England) 

  3. Office of Information Security, Department of Health and Human Services, USA (2 March 2022). Lessons learned from the HSE cyber attack (PDF, 3.6MB) 

  4. Diagnostic Imaging Dataset (NHS England) 

  5. Ireland’s Health Service Executive ransomware attack (2021). International cyber law: interactive toolkit 

  6. Health Services Executive (2021). Conti cyber attack on the HSE: independent post-incident review 

  7. Office of the Comptroller and Auditor General (September 2022). Report on the accounts of the public services 2021. Chapter 12: financial impact of cyber security attack 

  8. Holland JH (1992). ‘Adaptation in natural and artificial systems: an introductory analysis with applications to biology, control, and artificial intelligence’. Cambridge, Mass: MIT Press. 

  9. Committee of Public Accounts, House of Commons (18 March 2018). Cyber attack on the NHS 

  10. National Audit Office (2017). Investigation: WannaCry cyber attack and the NHS 

  11. National Health Executive (2018). WannaCry cyber-attack cost the NHS £92 million after 19,000 appointments were cancelled