The King’s Speech called for immediate action to face cyber-related risks on Critical National Infrastructure, which are costing the UK an estimated £27bn annually. This issue is particularly pressing across the NHS supply chain, which has experienced a 300% rise in cyber incidents since 2019 and a 54% increase in high severity alerts in the past year. The real-world impact is evident in the recent supply chain cyber-attack that forced several London hospitals to declare a critical incident, causing delays in surgeries and procedures.

As remote access solutions cause the biggest number of security issues, it’s vital the digital health sector provides assurance and is fast to meet the measures included in the Bill.

The reliance on innovative suppliers for its digital health infrastructure is driven by the industry, making raising awareness and education of the bill critical for its swift success.  

So, what can we expect? When will changes to legislation take place? And what can we do now to best prepare? 

With cyber-attacks listed in the 2023 National Risk Register, the UK Government had intended to update the Network and Information Systems (NIS) Regulations created in 2018. As the EU is set to introduce the NIS2 Directive this October, this Bill will also clarify the cybersecurity and incident reporting obligations for organisations.

The current NIS regulations do not feature in many of the commissioning frameworks used within the NHS, in particular the DSPT. With the introduction of the Bill, it is imperative that NHS organisations consider building it into commissioning. 

However, the Bill also aims to alleviate some of the pressure on commissioning groups by strengthening the remit of regulators in this field. It specifically names the ICO, and potentially  other well placed organisations such as the National Cyber Security Centre (NCSC), or the Medicines and Healthcare products Regulatory Agency (MHRA).   

A vital point here is for the NHS  to move away from the questionnaire approach used in Cyber Essentials and the Data Security Protection Toolkit (DSPT). To strengthen infrastructure, the NHS must verify that an organisation and its technology are performing as intended. Leveraging technology, including AI, to monitor the security and compliance posture of NHS suppliers in real-time is essential.

The speech highlighted a pressing need, raising the question of whether this Bill may be fast-tracked. The cyber-attack on NHS London Trusts underscores the urgency for  decisive action. But, considering the influx of new bills and the complexity of the issue, this may not be possible.

Whilst we watch, wait and contribute towards the new Cyber Security Bill as it takes shape and passes through legislation, it is important that we also act on the essence of the bill, to take practical steps to support its mission.

The purpose of legislation is to prevent cyber attacks. However, we  don’t need to wait for a bill to strengthen resilience. Take steps today to minimise the vulnerabilities of your technology and organisation by meeting current security standards such as Cyber Essentials, the DSPT and the security criteria within DTAC.

Sign-up for our next webinar, where we discuss what the new bill might mean for standards like , DSPT, Cyber Essentials, and DTAC and how digital health can support the NHS with it’s 2024 Winter Plan.