This site is intended for health professionals only


Health firms could face £17m fines for having weak IT security systems

by Julia Gregory
29 January 2018

Share this article

Health firms could face fines of up to £17 million if they do not have robust cyber security measures.

The government announced the move today (29 January) in a bid to protect essential services from malicious attacks.

It follows the WannaCry malware assault last May – the biggest cyber attack on the NHS to date. NHS England estimated that 19,000 appointments were affected, including 6,912 cancellations.

The new security guidance, as part of the government’s five-year £1.9 billion National Cyber Security Strategy, aims to beef up protection from cyber attacks.

New regulators will assess ‘critical industries’ including health, water, energy and transport to assess their risk.

New security steps

Guidelines published by the National Cyber Security Centre  (NCSC) look at managing the security risk, protecting against cyber attack, detecting incidents and minimising their impact.

Moves also include a new reporting system, designed to make it easier to flag up cyber breaches and IT failures so they can be dealt with quickly.

The government hopes this would ensure essential services ‘are prepared to deal with the increasing number of cyber threats’.

It will cover other IT problems such as power outages, hardware failures and environmental hazards.

Cyber breaches, like the WannaCry attack will be covered by the Network and information Systems (NIS) Directive.

A National Audit Office report into Wannacrylast year said it was a ‘relatively unsophisticated attack’ but organisations infected by the malware ‘could have taken relatively simple action to protect themselves.’