New Contractual Cyber Security Standards For GP Practices

New contractual cyber security standards across England require GPs to appoint a named partner, board member or senior employee responsible for data and cyber security.

Rising patient expectations and increased online threats to the health service have forced the Department of Health and NHS England to introduce new data security requirements.

From 2018/2019 GPSs across all primary care organisations in England are required to appoint a partner, board member or senior employee responsible for data and cyber security in their practice.

National Data Guardian Dame Fiona Calidcott recommended the adoption of 10 data security standards last year. Guidance published this week set out steps practices should take to meet the standards.

The guidance says that practices must comply as ‘part of the data security and protection requirements’ set out in their contracts. However, it adds that some of the requirements will be implemented by their commissioning organisation.

The Care Quality Commission will assess whether practices are following the standards when it considers data security during its inspections.

Data protection

New rules will also require practices to complete a checklist to make sure they comply with the new EU-wide General Data Protection Regulation (the GDPR). The regulation comes into force on May 25th 2018, together with a new Data Protection Act. The act will replace the current 1998 Data Protection Act and implement UK derogations under the GDPR.

However, some proposed derogations are causing some controversy for primary care. The GDPR requires public authorities to appoint qualified data protection officers. Medical practices are caught under the definition of 'public authorities'. In practice, employing a data protection officer could be costly to the practice. The new cyber security standards go some way to dealing with legal grey area.

The DH guidance also indicates that CCGs will have ensure that technology suppliers undertake ‘on-site cyber and data security’ assessments in all supported practices. The guide will require practices to comply with the agreed action plans ‘to meet their contractual responsibilities described in the CCG-Practice Agreement’.

CCGs are also expected to identify any ‘unsupported systems’ in practices, which includes software, hardware and applications, and have a plan in place to ‘replace or actively mitigate and actively manage the risks associated’ with these.

Practices will be required to maintain a business continuity plan that includes details of how it plans to respond to data and cyber security incidents. They must also report data security incidents and near misses to CareCERT, the document says.

The 10 data standards

The National Data Guardian  recommends 10 data standards which authorities now require all health and care organisations to follow.

  1. All staff make sure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form;
  2. Personal confidential data is only shared for lawful and appropriate purposes;
  3. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
  4. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised IG Toolkit.
  5. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
  6. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
  7. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
  8. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
    No unsupported operating systems, software or internet browsers are used within the IT estate.
  9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
  10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.