Press release

Government sets out strategy to protect NHS from cyber attacks

The government will provide a plan to promote cyber resilience across the health and care sectors by 2030, protecting both services and patients.

This was published under the 2022 to 2024 Sunak Conservative government
  • New strategy sets out 5 key ways to build cyber resilience in health and care by 2030
  • Cyber strategy will protect health and adult social care functions and services, which the whole nation depends on
  • Part of government’s commitment to build a stronger, more sustainable NHS for the future

Patients will benefit from bolstered protection to the nation’s health and adult social care services as a new cyber security strategy for England is published today.

The cyber security strategy for health and adult social care sets out a plan to promote cyber resilience across the sector by 2030, protecting services and the patients they support.

This will ensure services are better protected from cyber threats, further securing sensitive information and ensuring patients can continue accessing care safely as the NHS continues to cut waiting lists.

Technology is transforming how people access health and care services and information. Over 40 million people now have an NHS login, helping them book appointments, track referrals and order medications online. Over 50% of social care providers now use a digital social care record, helping staff share vital information about the people they care for. As digital systems are adopted to improve health and care services for people across the country, it is vital the health and care sector has the tools it needs to better protect patients’ information.

This new strategy will ensure health and adult social care organisations across England are set up to meet the challenges of the future - from identifying areas in the sector which are most vulnerable, to better utilising resources and expertise across the country to defend against cyber attacks.

Health Minister Lord Markham said:

We’re harnessing the power of technology to deliver better, safer care to people across the country - but at the same time it’s crucial we’re also bolstering the defences of our health and care services.

This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future.

This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre.

The health and social care sector has made good progress in recent years, by using the increasing number of cyber defence and response tools it has at its disposal. The sector is now much better protected from attacks than it was at the time of the WannaCry cyber attack in 2017.

NHS trusts now benefit from a direct link to NHS England’s Cyber Security Operations Centre (CSOC), providing real-time protection of any suspicious activity to approximately 1.7 million devices across the NHS network. Around 21 million malicious emails are also blocked every month.

The vision includes 5 key pillars to minimise the risk of cyber attacks and other cyber security issues, and to improve response and recovery following any incidents across health and social care systems including for adult social care, primary and secondary care. This includes:

  • identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function.
  • uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimising disruption.
  • building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognised, and relevant cyber basics training is offered to the general workforce
  • embedding security into the framework of emerging technology to better protect it against cyber threat
  • supporting every health and care organisation to minimise the impact and recovery time of a cyber incident

A full implementation plan will be published in summer 2023 setting out detailed activities and defining metrics to build and measure resilience over the next 2 to 3 years.

National cyber security teams will also work closely with local and regional health and care organisations to achieve the visions and aims of the strategy. This work will include enhancing the NHS England CSOC, publishing a comprehensive and data-led landscape review of cyber security in adult social care, and updating the Data Security and Protection Toolkit (DSPT) to empower organisations to own their cyber risk.

Updates to this page

Published 22 March 2023