GCHQ granted powers over NHS IT systems during Covid-19 outbreak
- 1 May 2020
The UK’s intelligence and security organisation has been granted access to information from NHS IT systems during the Covid-19 pandemic.
Government Communication Headquarters (GCHQ) was granted additional powers by health secretary Matt Hancock in April, allowing them to request from the NHS anything “relating to the security of any network and information system”.
The extra powers will remain in place until 31 December 2020, according to a government document published last month.
The apparent attempt to bolster cyber security during the outbreak would allow GCHQ to request information held by or on behalf of the NHS and supports the provision of NHS services related to coronavirus for the purpose of “supporting and maintaining the security of any network and information system”.
A spokesperson for the National Cyber Security Centre (NCSC), part of GCHQ, said the directions “give us consent to check the security of NHS IT systems”.
“This is part of our ongoing commitment to protect health services during the coronavirus pandemic,” they added.
“We have no desire to receive any patient data, and the directions do not seek to authorise this.”
It comes as the NCSC warned of a rise in Covid-19 related malicious cyber activity.
“In the UK, the NCSC has detected more UK government branded scams relating to Covid-19 than any other subject,” a statement from the organisation said.
Both the NCSC and the US Department of Homeland Security have noted a growing use of Covid-19 themes from cyber attackers, though the overall levels of cyber crime has not increased.
The onset of Covid-19 rapidly accelerated the uptake of some digital services, such as remote consultation, but put other targets on the backbench.
In March NHS Digital and NHSX extended the deadline for the national data opt-out by six months to allow NHS organisations to focus on the outbreak.
A letter sent to NHS staff said the deadline by which health and social care organisations must comply with the opt-out policy would be moved from March to September.
Speaking to Digital Health News, NHS Digital chief Sarah Wilkinson said some of the technology rolled out at scale was “here to stay”.
However, she said other “arrangements” which have been brought in during the pandemic, including data sharing, will have to be reviewed.