NHS patient data security is to be tightened after cyberattack

BMJ 2017; 358 doi: (Published 14 July 2017) Cite this as: BMJ 2017;358:j3412
  1. Adrian O’Dowd
  1. London

Systems to ensure better protection of patients’ data are to be tightened in England, with extra funding to boost cybersecurity, severer punishments for security lapses, and promises of a new system to allow patients to opt out of their data being shared.

The government has announced a series of steps to improve data handling in the NHS and security of information in the wake of the WannaCry “ransomware” cyberattack in May that paralysed NHS information technology systems across dozens of organisations in England and Scotland.1

Doctors’ leaders have broadly welcomed the new approach but raised concerns over how the planned new opt-out system would affect patients who have already officially instructed GPs not to allow their data to be shared.

The Department of Health of England published its Your Data: Better Security, Better Choice, Better Care report on 12 July,2 as its official response to the national data guardian Fiona Caldicott’s review on data sharing, published in July last year.3

In its response the health department accepted all of Caldicott’s recommendations and said that spending on data and cybersecurity would be boosted to more than £50m (€56m; $64m) between now and 2020. This would now include an additional £21m capital fund for major trauma centres across England, it said.

Other measures outlined in the report include:

  • New regulatory scrutiny by the Care Quality Commission of NHS trusts’ data security

  • Stronger sanctions introduced by May 2018 to protect anonymised data

  • Putting on a statutory footing the position of national data guardian for health and care

  • Broadcasting alerts about cyberthreats

  • Setting up a hotline to deal with incidents, and

  • NHS Digital carrying out onsite assessments.

One of the key changes is to give patients and the general public more access to, and control over, their personal data, with a say in whether data could be used for research purposes, but precise details have yet to be finalised.

A new national scheme will be phased in from May next year, with the aim of it being fully implemented by 2020.

The health department’s report said that patients who had already chosen to opt out of their data being shared outside their general practice would have their choice honoured until 2020.

The health minister James O’Shaughnessy said, “Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”

The BMA welcomed the report’s focus on cybersecurity and implementation of more suitable standards on data security.

John Chisholm, chair of the BMA’s medical ethics committee, said, “There are many potential benefits in sharing data for medical research and improving clinical care.

“However, doctors have serious concerns about the removal of patients’ right to opt out of having their details sent from their GP surgery to NHS Digital, without first putting in place the necessary protections and guarantees about how this information will be used.

“If patients don’t have confidence in the system, not only does it damage the doctor-patient relationship, there is also a real risk that some will be put off visiting their GP.”

Helen Stokes-Lampard, chair of the Royal College of General Practitioners, said, “GPs are some of the most trusted healthcare professionals in the NHS, and this trust must extend to the way in which we use information about our patients’ health. We are confident that the plans in this report, if implemented effectively, will be a positive step forward to ensuring this.”



View Abstract

Sign in

Log in through your institution

Free trial

Register for a free trial to to receive unlimited access to all content on for 14 days.
Sign up for a free trial