Healthcare cyber security and the GDPR: why compliance is critical for NHS organisations

With evolving cyber threats facing the NHS and other healthcare organisations, as seen in recent Petya and WannaCry ransomware attacks, and with the UK government promising patients secure healthcare services, addressing cyber security must be a priority for all organisations handling patient records and sensitive data. To keep pace with the digital landscape and address cyber security needs, compliance with the General Data Protection Regulation (GDPR) will be required from May 2018.

What the GDPR means for the NHS and healthcare organisations

The Regulation’s main objective is to strengthen data protection for individuals. It stresses that misusing healthcare data can have serious long-term repercussions for data subjects. In the event of a security breach, organisations that fail to demonstrate appropriate technical and organisational compliance with the Regulation can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater.

The definition of ‘data breach’ includes data not being available for the purposes for which it was collected - a ransomware attack is a data breach because it means a patient’s operation has to be postponed. This will have to be reported, and could trigger a complaint from the data subject and legal action for damages against the controller and processor.

Immediate actions and first steps to complying with the GDPR

The GDPR provides guidelines and suggestions for data security actions that are “appropriate to the risks”, to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and the availability of and access to personal data in a timely manner. It also encourages organisations to implement a process for regular testing to assess and evaluate the effectiveness of technical and organisational measures that ensure the security of the processing.

Healthcare organisations will be required to appoint a data protection officer (DPO) and report data breaches to the relevant authorities within 72 hours. Although initiating GDPR compliance is a decision made by senior management and the board, organisations will rely heavily on the DPO to perform a wide variety of tasks, such as educating employees, training staff who are involved in data processing and serving as a point of contact for the supervisory authority.

Essential services providers must also comply with the NIS Directive

The UK government has also confirmed that healthcare organisations will need to comply with the Network and Information Security (NIS) Directive, which is set to strengthen cyber security across sectors that rely heavily on information systems and technology to deliver essential services. The Directive sets specific requirements for breach reporting procedures and incident response management, and warns of additional fines for failing to prevent cyber breaches and implement appropriate protection mechanisms.

The NHS and healthcare organisations looking to achieve and maintain GDPR compliance can take advantage of IT Governance’s accredited GDPR training courses and qualifications, as well as GDPR books, documentation toolkits, compliance software and consultancy services.

To find out how IT Governance can help the NHS and healthcare organisations comply with the GDPR requirements, visit our website, email or call us.

0845 0701750

Supplier Profiles

MBF Hygiene Systems

MBF Hygiene Systems is a specialist hygiene wall cladding and ceiling installer.


Vital signs: London-based solar electricity installer Ecovolt has traded successfully since 2007,