Ahead of our Cyber Security Spotlight event in February, I was asked to share some thoughts on what I think 2023 might bring to the health and care sector for 2023.
1. Regulation and governance
Already this year, we've seen the new National Chief Information and Security Officer (CISO) for health and social care appointed to post, Phil Huggins. Phil has already been busy and has written to senior leaders within integrated care systems about their obligations under the Network and Information Systems (NIS) regulations.
There's already been great progress in terms of integration with cyber security needs with the latest data security and protection toolkit, and I expect this to continue too.
With clarity of expectation around NIS and more integration of data security and protection toolkit, many organisations will need to commit time in this area throughout 2023.
2. Workforce
You don’t need me to tell you that there aren’t enough people with cybersecurity skills in health and care. Indeed, it’s not just health and care that suffer from that challenge – so we’re going to have to think differently. There were some really promising signs in 2022, in terms of intention to grow our own information security talent in health and care.
I’ve had a sneak peek at some of the national strategies to 2030 and I'm really so excited to see a big focus on how we can develop the workforce. Of course, the challenge will be to retain people in the long term considering just how competitive the market is.
This mirrors the approach we’ve taken at SCW over the past four years, where we have invested in training and development of specialist skills within our team.
3. Supply chain
I’ve been lucky enough to do lots of Digital Technology Assessment Criteria (DTAC) assessments in the past year or so, and it is great to see so many new solutions coming to the market. Over time I’ve seen the compliance with the DTAC requirements improve significantly, but there have been some really surprising conversations about why you should have an annual penetration test, or why it’s important to be able to demonstrate you have organisational controls aligned with a recognised framework.
The key thing I’ve learned from doing these assessments is never to assume that the company you’re working with meets basic security standards just because another NHS organisation is using the product. To quote a Russian proverb ‘Doveryai, no proveryai’… ‘Trust, but verify’
4. Multi-factor authentication
We’ve already seen a push on this by NHS Digital (Now NHS England) in 2022 for the NHS mail service. Now the central authority for policy and delivery is aligned under the same roof, I’d expect there to be a much stronger push on a roll-out of multi-factor authentication in 2023.
My personal recommendation on this is to try and get ahead of this one as soon as possible if you don’t already have it handled – for many organisations it will be tricky to deliver this in clinical settings. Nobody wants to be doing this in a hurry!
5 . Impact of cloud-first
Not many health and care organisations have gone too deep into public cloud just yet – around 10% according to a recent blog from NHS Digital. However, there is a growing trend towards that way of working. A key concern for cloud is finding the right balance between supporting agility whereby services can be stood up quickly, and governance to ensure security and financial aspects have appropriate controls in place.
There's also a risk here that organisations assume cloud is automatically secure. I fear that we may see potentially some incidents occurring because of this naïve thinking. Within SCW we’ve been spending time on our cloud landing zone and the associated security controls to get a handle on these risks.
To find out more, please contact
