Major trauma centres across England are to get access to a new fund of £21 million to tighten up their cyber security, the Department of Health has announced.

Twenty-seven hospitals will use the money, which is in addition to the £50 million investment already announced by the government, to modernise IT systems, fund staff training, and strengthen defences against a cyber attack.

The move - which follows the recent WannaCry ransomware outbreak that took down computers in several organisations around the globe, including the NHS - forms part of the government’s long-awaited response to the Caldicott review of data security.

The government says it accepts all ten of the data security standards recommended by last year’s report, including measures to protect systems against data breaches, ensuring NHS leadership takes ownership and responsibility for data security, and a new consent/opt-out model that gives patients a less complex choice about how their personal confidential information is used.

Under the plans, new data protection legislation is to be introduced from May 2018 to allow for stronger penalties for data breaches and reckless or deliberate misuse of information, while the Care Quality Commission will weave cyber-security into its programme of inspections from September this year to ensure data security standards are being adhered to.

There is also a new requirement for each organisation to assign responsibility for cyber security to an executive board member, and for significant cyber attacks to be reported to CareCERT (Care Computer Emergency Response Team, set up to provide advice and support on cyber security threats) as soon as possible after being detected.

NHS Digital will support the new data security standards and signpost health and care organisations to tools to identify potential vulnerabilities through the redesigned Information Governance Toolkit and the associated CareCERT suite of services, and will develop and implement a mechanism to de-identify data on collection from GP practices by September 2019.

Protecting information

“With the growing threat of cyber attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS,” said Health Minister Lord O’Shaughnessy.

“Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”

Patient data pressure group medConfidential says it is “cautiously positive” that the government’s response would help see patient data properly protected.

“We welcome the clear commitment that patients will know how their medical records have been used, both for direct care and beyond. This commitment means that patients will have an evidence base to reassure them that their wishes have been honoured,” said Phil Booth, Coordinator of medConfidential.

“Some of the details remain to be worked out, but there is a clear commitment from the Secretary of State…It is now up to NHS Digital and NHS England to deliver.”

Former health minister Lord Darzi, director of the Insitute of Global Health Innovation at Imperial College London, also backed the measures, noting that they strike “the right balance between the interests of patients, the NHS and medical science”, reports The Telegraph.