The Government has published its response to the consultation on the NIS Directive. This note highlights the key changes that will impact healthcare companies falling within the scope of the NIS Directive.
The sanctions regime has been clarified, with a single maximum financial penalty of £17m to cover all contraventions.
The Government has proposed that the Secretary of State for Health (supported by NHS Digital) will be the Competent Authority for the healthcare sector.
The Secretary of State for Health will have a degree of flexibility in deciding what level of fine is proportionate and reasonable in the circumstances and will be encouraged to take into account the potential for "double jeopardy" under different regimes, such as the General Data Protection Regime (GDPR). That being said, the Government has acknowledged that penalisation for the same event under different regimes may be appropriate where penalties "relate to different aspects of the wrongdoing and different impacts". Further guidance is expected to be published on this point before May 2018.
The definition and identification thresholds of who is an "Operator of Essential Service" (OES), and therefore falls within the scope of the requirements of the NIS Directive, has been updated in the Government response to the consultation. It was originally proposed that the NIS Directive would apply to NHS Trusts and Foundation Trusts in England, however the consultation response now proposes that the NIS Directive should apply to providers of "non-primary NHS healthcare commissioned under the National Health Service Act 2006" but specifically excludes any individual doctors providing such healthcare.
The Government has updated the 14 proposed high level security principles (listed below). These provide further guidance on what is expected of an OES under the NIS Directive. The updated principles are still broad, and leave the OES to determine which security measures are appropriate, taking into account the circumstances of that organisation.
The updated principles place a greater emphasis on the importance of ensuring that all levels of the organisation understand the risk of cybersecurity and the security measures the OES has in place. It is clear that superficial "fixes" will not be satisfactory under the NIS Directive; the obligation extends to ensuring that employees have the information, knowledge, and skills they need to support the security of networks and information systems.
The National Cyber Security Centre (NCSC) has published supplementary guidance here and we expect that the initial version of the NIS "Cyber Assessment Framework" (CAF), which is due to be published in Spring 2018, will provide further granularity.
The Secretary of State for Health will be responsible for publishing the incident reporting thresholds before May 2018, which will apply to OES in the healthcare sector. We expect the thresholds to be based on:
- the number of users affected by the disruption of the essential service;
- the likely or actual duration of the incident; and
- the area affected by the incident.
All NIS incidents meeting the reporting threshold should be reported to the Secretary of State for Health within 72 hours.
NCSC will only be responsible for incident response support for cyber-related incidents, whereas response support for non-cyber or resilience incidents will be provided by the Secretary of State for Health.
Each OES is responsible for ensuring (through contractual arrangements such as KPIs and auditing rights) that their suppliers have in place appropriate measures. A blanket approach is unlikely to be acceptable. The NCSC guidance warns against forcing all suppliers to deliver the same set of security requirements when it is not proportionate or justified to do so.
An OES remains accountable for the protection of any essential service, even if it relies on a third party to provide technology services. Although the Secretary of State for Health will not be enforcing NIS requirements on the supply chain of an OES, there is currently nothing preventing an OES from "flowing-down" liability under this regime.
For more information on the impact of the NIS Directive on the healthcare sector, please click here.
A) Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services.
A.1 Governance: The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
A.2 Risk Management: The organisation takes appropriate steps to identify, assess and understand security risks to network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.
A.3 Asset Management: Everything required to deliver, maintain or support networks and information systems for essential services is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
A.4 Supply Chain: The organisation understands and manages security risks to the network and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
B) Proportionate security measures in place to protect essential services and systems from cyber-attack or system failures.
B.1 Service Protection Policies and Processes: The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support delivery of essential services.
B.2 Identity & Access Control: The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.
B.3 Data Security: Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause disruption to essential services. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the delivery of essential services. It also covers information that would assist an attacker, such as design details of networks and information systems.
B.4 System Security: Network and information systems and technology critical for the delivery of essential services are protected from cyber-attack. An organisational understanding of risk to essential services informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
B.5 Resilient Networks & Systems: The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services.
B.6 Staff Awareness & Training: Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the delivery of essential services
C) Appropriate capabilities to ensure network and information system security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.
C.1 Security Monitoring: The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the on-going effectiveness of protective security measures.
C.2 Proactive Security Event Discovery: The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployed).
D) Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.
D.1 Response and Recovery Planning: (i) There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential services in the event of system or service failure; and (ii) Mitigation activities designed to contain or limit the impact of compromise are also in place.
D.2 Lessons Learned: When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.