NHS Wales. Dr Carwyn Lloyd-Jones

Similar documents
Regulating Cyber: the UK s plans for the NIS Directive

The NIS Directive and Cybersecurity in

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Directive on security of network and information systems (NIS): State of Play

DfT Policy Overview Rod Paterson

ENISA EU Threat Landscape

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

Cyber Review Sample report

Directive on Security of Network and Information Systems

MINIMUM SYSTEM SPECIFICATION (MSS)

Cybersecurity Considerations for GDPR

JUSTICE SUB-COMMITTEE ON POLICING AGENDA. 2nd Meeting, 2014 (Session 4) Thursday 20 February 2014

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

European Union Agency for Network and Information Security

NHS Scotland Cyber Attack: NSS Evidence to Scottish Parliament Health & Sport Committee (Jun 17)

ENISA Cooperation in the EU / NIS Directive

Protecting information across government

NIS-Directive and Smart Grids

Package of initiatives on Cybersecurity

Cyber Diligence. EY Deals Forum Ian McCaw EY Transaction Advisory Services

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Discussion on MS contribution to the WP2018

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Network and Information Security Directive

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

CYBER SECURITY AIR TRANSPORT IT SUMMIT

In Accountable IoT We Trust

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

What is the Northern Ireland ehealth and Care strategy?

GB experience with smart meters

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

To be an active partner, always ready to improve by working with others

Securing Europe's Information Society

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

BHConsulting. Your trusted cybersecurity partner

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Transforming the utilities industry. How our insight and infrastructure can help you thrive in a changing world

Future-Proof Security & Privacy in IoT

Poland: Initiative for Polish Industry 4.0 The Future Industry Platform

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

BOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018

Executive Insights. Protecting data, securing systems

Andrew Durant/Ellen Sullivan

Using Blockchain for Consent and Access to Private and Sensitive Data in the GDPR Environment

Unclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities

Aneurin Bevan Health Board

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

An overview of the ehealth Strategy for NSW Health: & an update on key projects

SPECIALIST CYBER SECURITY SERVICES & CYBER VULNERABILITY HEALTH CHECK FOR SMALLER COMPANIES

ehealth Ministerial Conference 2013 Dublin May 2013 Irish Presidency Declaration

PS Mailing Services Ltd Data Protection Policy May 2018

Return on Investment and ICT Skills

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity & Digital Privacy in the Energy sector

Commissioner Ian Dyson SRO, National Enabling Programmes IMORCC

The Role of the Data Protection Officer

EU General Data Protection Regulation (GDPR) Achieving compliance

The National Fire Chiefs Council. Roy Wilsher Chair National Fire Chiefs Council

Transforming the UK police force through digital technology. Switch to a new way of working with BT

Managed IT Solutions. What we do. Capita Managed IT Solutions. making IT work

European Cybersecurity cppp and ECSO. org.eu

AGENDA ITEM: 3.4 DATE OF MEETING: 3 MAY 2018 INFORMATION MANAGEMENT, TECHNOLOGY & GOVERNANCE COMMITTEE

Cybersecurity and Commercial Aviation

Manchester Metropolitan University Information Security Strategy

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Security in Today s Insecure World for SecureTokyo

Managed IT Solutions. What we do. Capita Managed IT Solutions. making IT work

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

Call for Expressions of Interest

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

Welcome John Harris, Director General

Digital Health Cyber Security Centre

GDPR: A QUICK OVERVIEW

NERC Staff Organization Chart Budget 2019

Horizon Nuclear Power

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Horizon 2020 Security

5G Testbeds and Trials. Programme Strategy and Structure

How we do ehealth in NHS Scotland

You can access the AIMS user guide in the Related Links section at the top right of the page.

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Wiebe Ruttenberg & Emran Islam DG Market Infrastructure & Payments. From Cyber Threats via Cyber Security to Cyber Resilience

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

GDPR Partner Marketing Campaign Playbook

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

International nuclear business opportunities

Disaster recovery strategic planning: How achievable will it be?

NERC Staff Organization Chart Budget 2019

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

ESRIF & Working Group Innovation WG 9. Alois J. Sieber Chairman ESRIF WG # 9

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

The ehealth Annual Report aims to highlight the activities within the teams that make up the ehealth Department.

A sustainable approach to property rationalisation and cost savings Sustainability---the new dynamic

IT risks and controls

Earth Observation, Climate and Space for Smarter Government

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

NERC Staff Organization Chart Budget 2018

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Transcription:

NHS Wales Dr Carwyn Lloyd-Jones

NHS Wales Provision of National Health Services in Wales is devolved to Welsh Government Policy/Strategy in England does not apply in Wales Budget into Wales is calculated according to Barnett formula 10 legal entities 7 x Local Health Board

NHS Wales Provision of National Health Services in Wales is devolved to Welsh Government Policy/Strategy in England does not apply in Wales Budget into Wales is calculated according to Barnett formula 10 legal entities 7 x Local Health Board 3 x all-wales Trusts Ambulance, Velindre (Cancer) and Public Health NHS Wales does not exist as an entity Public don t care about organisational boundaries. They just see the NHS

NHS Wales 20 x large hospital sites Lots of community hospitals/clinics 440 GP practices, 600 sites 15 IT departments 90,000 users 65,000 computers 5,000 servers 1,000s of IOT 1 network Connections to N3, UAs, Welsh Gov, etc 1 Active Directory Domain (almost)

NHS Wales Informatics Service National IT + Information organisation for NHS Wales >600 staff, 5 offices Provide ~100 systems/services to NHS Wales orgs Clinical systems Pathology, Radiology, Cancer, etc Infrastructure services AD, DNS, Internet, Email, Skype, etc Security services Manage all IT in GP practices across Wales 10,000 PCs, 12,000 users Provide IT services to small NHS organisations 2,000 servers 2 data centres + smaller server rooms Hosted by Velindre NHS Trust

WannaCry

Cyber Security in NHS Wales - The strategic challenges Dr Carwyn Lloyd-Jones

Summary Who is responsible? Coordination across the UK GDPR and NIS-D Staffing Investment All-Wales initiatives under way

Who is responsible?

Quick recap. 20 x large hospital sites Lots of community hospitals/clinics 440 GP practices, 600 sites 15 IT departments 90,000 users 65,000 computers 5,000 servers 1,000s of IOT 1 network Connections to N3, UAs, Welsh Gov, etc 1 Active Directory Domain (almost)

Who is responsible? 10 x legal entities? Chief Execs / SIROs / Associate Director for IT? 15 x IT departments? NWIS? Welsh Government Cabinet Secretary (Minister)? Civil Service? NHS Digital? National Cyber Security Centre?

Who is responsible? Technically = 10 x legal entities These would be the people that get the fines from the ICO In practice, we work collaboratively across the various organisations The challenge is not unique to Cyber Security. Same challenges exists for measles outbreaks, major incidents, etc. Not always easy Different orgs have different risk appetites Different people have different views However it is a small community <15 significant IT departments Having capable and trusted leaders is critical

Operational Strategic Governance Cyber security is on the agenda at all levels of NHS Wales Welsh Government National Informatics Management Board SIRO peer group Associate Directors of Informatics Infrastructure Management Board Operational Security Services Management Board + others

Coordination across the UK Cyber attacks/threats have no boundaries NHS Wales network is connected to N3 network in England, which is connected to Scotland, Northern Ireland, Isle-of-man, etc. NWIS co-ordinate response in Wales, liaising with: CymruWARP Unitary Authorities

GDPR and NIS-D General Data Protection Regulations come into force in May 2018 Replaces the Data Protection Act (1998) More responsibilities Bigger fines Tighter timelines for reporting (72 hours) Fine for not reporting - 10 million Euros or 2 per cent of your global turnover Maximum fines of 20m or 4% of global turnover

NIS Directive Directive with the aim of increasing the security of Network and Information Systems (NIS) within the European Union (EU) Applies to Operators of Essential Services (OES) Water companies, Energy Companies, Oil/Gas distribution Transport Rail, Air, Maritime, Local Health Boards and NHS Trusts in Wales Comes into UK May 2018 Maximum fines of 20m or 4% of global turnover

Staffing General shortage of good IT staff in Wales NHS Salaries cannot compete with private sector But, lots of benefits pension, flexible working, etc Public Sector Bodies keep poaching candidates from each other Even bigger challenge for Cyber Security Very difficult to recruit suitably skilled candidates Looking at various options Working with Universities placements, projects, etc. Training other staff who want to work in Cyber Security Outsourcing certain elements to private sector

Investment Public sector purse is not full right now. However, WG and Cabinet Secretary have and are investing in Cyber Most goes on replacing old equipment

NHS Wales Cyber Security Initiatives Welsh Cyber Assurance Programme Including an external review of controls and capabilities Development of minimum standards for NHS Wales Strengthening our Cyber Security Incident Response Plans Lessons learnt from WannaCry Developing a cloud policy for NHS Wales Piloting (12,000 users!) with Office365 Security Monitoring SIEM Developing improved Security Awareness materials/processes Enhanced testing of backup/restores/dr processes Strengthening contractual arrangements with 3 rd party suppliers

Questions? Thank you for listening

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback