The Department of Health and Social Care has published an updated guide for designated operators of essential services for healthcare in England explaining the practical impact of the NIS Regulations.
While not all health and care organisations are in scope for the NIS Regulations, all organisations with access to NHS patient data and NHS systems are held to high standards that reflect the sensitivity of data and criticality of network and information systems in health and care. For example, all organisations with access to NHS patient data and systems, regardless of whether they are in scope of the NIS Regulations, are required under UK GDPR to report personal data breaches and this should be done through the DSPT incident reporting tool which also notifies the ICO.
The NIS Regulations require operators of essential services to take appropriate and proportionate technical and organisational measures to:
- manage risks posed to the security of the network and information systems, ensuring a level of security of network and information systems appropriate to the risk posed;
- prevent and minimise the impact of incidents, ensuring the continuity of services;
- report any incident which has an adverse effect on the security of network and information systems and which has a significant impact on the continuity of an essential service.
Any service provided by an Integrated Care Board (ICB) (including the making of arrangements for the provision of services by others) is deemed to be an essential service. An ICB’s obligations under the NIS Regulations are therefore relevant to all the services they provide, such as those supporting the ICB’s responsibilities in arranging and funding continuing healthcare for example, including any services they provide which are outsourced to a third party.
Operators of essential services must report any incident that has a significant impact on the continuity of the essential service they provide. An incident is defined in the regulations as any event having an actual adverse effect on the security of the network and information systems. This includes incidents that significantly impact third-party suppliers on which operators rely to provide their essential services.
The current thresholds set for the health sector definition of significant impact, for the purposes of the NIS Regulations, are available in the guidance at table 1. This includes incidents which are more likely to occur in a social care setting, such as where:
Incident category | Criteria for incident threshold | Type of operator the incident category applies to | Rationale |
---|---|---|---|
Community care appointments cancelled | 1,500 | Trust or independent provider | City, 1% of population, 12 hours |
Non-availability of drugs and/or medical devices | Greater than 24 hours | Trust or independent provider | City, 1% of population, 24 hours |
Network and information systems incidents must be reported via the DSPT incident notification tool without undue delay, and in any event no later than 72 hours after the operator became aware of the network and information systems incident. Further guidance is available online through the DSPT on incident reporting under the NIS Regulations (and UK GDPR), including the downloadable Guide to the Notification of Data Security and Protection Incidents.
The intended audience for the updated guide reaches beyond cyber and IT professionals. Chief executive officers, senior information risk officers, chief information officers, chief finance officers (or equivalents) and other board members should also be aware of their obligations as well as staff working across the organisation. Operators of essential services are encouraged to make use of nationally provided tools and assessments such as (but not limited to) central Cyber Security Operations Centre monitoring where offered and enforcement action may be taken regarding uptake in certain instances.