On 6 July 2016 a Directive concerning measures for a common high level of security of network and information systems (cyber security) across the European Union was adopted by the EU. See the final text here.
Implications for the NHS
The Directive could have implications for the NHS as healthcare has been identified as an ‘essential service’. Accordingly, healthcare providers are required to take “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”.
What this means in practice is that EU governments must ensure that healthcare organisations are taking appropriate measures to prevent and minimise the impact of cyber security incidents affecting the security of their network and information services used in the provision of their essential services, with a view to the continuity of those services. And to assist with this, healthcare organisations must now notify, without undue delay, the national competent authority of any cyber security incidents that have a significant impact on the security of the services they support.
Healthcare providers' compliance with this legislation will be assessed by their national competent authority. Accordingly, they are required to supply:
- the information necessary to assess the security of their network and information systems (including documented security policies);
- evidence of the effective implementation of security policies, such as the result of a security audit carried out by the competent authority or a qualified auditor.
The competent authority in the UK is required to set penalties for non-compliance with these rules, which the Directive states must be “effective, proportionate and dissuasive.”
Much of this is in line with the recommendations of Dame Fiona Caldicott’s Review on Data Security, Consent and Opt-outs.