Good governance: the role of non-executive directors in addressing cyber security risks in a healthcare organisation

Date published

18/08/2022

Services

Sectors

Locations

Digital technology and data remain an increasingly significant and ever-evolving part of the delivery of modern health and care services. To address the risks posed to cyber security, there are a number of important considerations for healthcare organisations.  

As set out in ‘Cyber Security Guide for NHS Non-Executive Directors: Balancing Risks’, published in November 2021, (the Guide), “non-executive directors (NEDs) on NHS Boards have a vital role to play in providing independent oversight”, so as to help their Board understand what cyber security risks the organisation is exposed to.

As the digital healthcare journey continues, patient safety and care must remain the primary focus. Falling squarely within that is the importance of cyber security. Having worked with others within NHS Digital, and with NHSX to produce the Guide, John Noble CBE, Non-Executive Director at NHS Digital, observed that good cyber security is a “fundamental element of patient care”.

Executive and non-executive directors have no legal distinction in terms of their legal duties, responsibilities and exposure to liabilities. This would include liabilities posed via cyber attacks. 

Guidance for NHS NEDs

The Guide aims to help NHS NEDs “understand how cyber security could affect their own NHS organisation and how to become more resilient to cyber threats and attacks”.

It isolates key elements for Board consideration, which a view will need to be taken on in terms of strategy, resourcing and monitoring. NEDs can adopt this Guide as part of their role in governance. 

Building on cyber attack experience, from NHS Digital’s Cyber Security Operations Centre (CSOC) and the National Cyber Security Centre (NCSC), the Guide highlights resources available to help NHS Boards, poses questions for IT security teams and sets out how resilience can be improved.

The Guide sets out questions that Boards should ask. This builds on the NCSC Board Toolkit and by way of example, set out below are some of the questions that fall within the key areas of ‘technology’ and ‘people’ and the assurances that will need to be sought in relation to ‘resilience’:

Technology

  • “How does our organisation control the use of privileged IT accounts?”
  • “What authentication methods are used to control access to systems and data?”

People

  • “Does the organisation have the right cyber security culture and capability to manage the risk?”
  • “How experienced and capable is our cyber security team?”

Resilience

The Board will need to be assured that there “is a secure offline back-up and that the IT team have practised recovery from it” and know when the Incident Management Plan and Business Continuity Plan was last reviewed and exercised.

The Guide also highlights that further help and guidance is available via “a dedicated NHS cyber security subject matter expert” for each region (i.e., NHS Digital’s Regional Security Leads).

Comment

What an NED can bring to a Board in supporting the above, is their independence, significant experience and personal qualities. These elements, combined with any specialist knowledge, should lead to the right questions being asked, providing valuable insight from outside the healthcare provider.

Further, once a strategy has been adopted and objectives set, it might well be that responsibility is taken by one or more NED to monitor the performance of what has been put in place.

The responsibility for cyber security rests with every person within the healthcare organisation. However, it is the Board that, as Mr Noble says, “have a key role to play in assuring that IT systems are available and sensitive patient data is protected”.

Boards are accountable for managing cyber risks and healthcare providers are potentially liable for the outcome when such risks materialise. NEDs are often reliant on technical staff within organisations when assessing, commenting on and supporting the agreed risk management strategy.

Whilst vulnerabilities in cyber security pose a significant risk to clinical care and will remain high on the list of priorities of those with overall responsibility, this Guide provides a meaningful, and helpful, basis from which to build, to ensure safer patient care.

Related items: