Cyber Security and Technical Assurance
About the work area
The Scottish Government Digital Health & Care Division actively promotes cyber security. Our goal is to reduce the risk of cyber-attacks and protect against the unauthorised exploitation of systems, networks and technologies. We promote best practice, regulatory requirements and global international standards for the improvement of cyber security practices.
Legislative requirements, including the UK General Data Protection Regulation (GDPR), require all public sector organisations to ensure appropriate technical protections are in place when suppliers process personal data on our behalf. The Security of Network and Information Systems (NIS) Regulations require that a Competent Authority is in place to ensure that essential service sectors have robust cyber security.
Scottish Ministers are considered to be the Competent Authority for Health in Scotland, as such they have a regulatory responsibility for oversight and enforcement of the NIS Regulations. All NHS Scotland health boards are considered to be Operators of Essential Services and therefore must comply with the standards set out in the NIS Regulations. Standards cover managing security risk, defending systems against cyber-attack, detecting cyber security events and minimising the impact of cyber security incidents.
What the work area does
The NIS Regulations are primarily aimed at improving cyber security, but is not in itself a cyber security law. It can relate to any ‘incident’ that has an impact on a service, where that impact produces a significant disruptive effect. It also includes impacts that have ‘non-cyber’ causes, for example interruptions to power supplies or natural disasters such as flooding. The Scottish Government’s Digital Health & Care Division on behalf of the Scottish Health Competent Authority handles the operational duties and actively work towards ensuring networks and information systems are resilient. This is a crucial part of protecting essential services.
The Scottish Government published the Cyber Resilience Public Sector Action Plan for all organisations in Scotland’s public sector, including Health. This plan, alongside a number of other actions, sets out the minimum standards for cyber security that public sector organisations are expected to meet.
Digital Health & Care has regular engagement with various relevant colleagues such as the National Cyber Security Centre to ensure the latest standards, processes and threat analysis is met and made available to support systems used to securely store patient identifiable data.
Example of work done
The Digital Health & Care Division on behalf of the Scottish Health Competent Authority conducts formal assessments and audits of health boards to obtain compliance assurance. These audits are structured in a manner consistent with the Public Sector Cyber Resilience Framework which has the advantage of providing a framework for the conduct of the audit that allows us to evaluate the effectiveness of risk management, cyber security controls and governance processes. Ultimately the approach enables the health boards to obtain compliance assurance with the NIS Regulations.
From 2023, audits are structured against the revised Public Sector Cyber Resilience Framework which is due to be fully published by SG Cyber Resilience Unit later this year.
Cyber resilience: framework and self assessment tool
Scottish Health Competent Authority
The Scottish Government is committed to improving the Cyber Resilience within the NHS in Scotland. An example of the continuing improvements being made is the development of the NHS Scotland Cyber Centre of Excellence (CCoE), located within the Abertay cyberQuarter, Dundee, which will provide an agile response to the fast-moving cyber security threat landscape in which NHS Scotland operates.