On 29 January 2021, the Kemp Little team joined Deloitte Legal. Click here to view the press release.

As of 30 January 2021, Kemp Little LLP ceased to operate as a firm of solicitors and practice law and ceased to be regulated and authorised by the Solicitors Regulation Authority.

Kemp Little LLP has been re-named KL Heritage LLP.

If you are looking to contact a specific individual to seek legal advice or in respect of any other business relationship, please contact Deloitte Legal.

If you are seeking to contact the old Kemp Little LLP in relation to a previous business relationship or matter, please get in touch with KL Heritage LLP.

For enquiries relating to Kemp Little technology products and training portal, please email deloittelegal@deloitte.co.uk

 


 

Kemp Little is a trade name used under licence by KL Heritage LLP (formerly Kemp Little LLP, registered number OC300242 and VAT number 182 8854 65).

On 29 January 2021, the Kemp Little team joined Deloitte Legal.  As of 30 January 2021, Kemp Little ceased to operate as a firm of solicitors and practice law. From this date Kemp Little ceased to be authorised and regulated by the Solicitors Regulation Authority and is being re-named KL Heritage LLP.

All references to Kemp Little herein are references to KL Heritage LLP, which used to carry on business in that name.

KL Heritage LLP is not connected to or associated with Deloitte Legal or Deloitte LLP in any capacity.

 

Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Commercial technology · 9 April 2020 · Nia Thomas · Hayley Davis

NHS Information Security Audit delay increases cyber risk

Background

Covid19 has posed what may be one of the biggest challenges faced by our NHS to date. With the pandemic demanding the attention of frontline workers and management alike, other pressing concerns have been forced on the wayside. One topic that has temporarily been put “on hold” for now are the NHS’s annual security audits on its IT systems. NHS trusts do not need to complete their standard cyber security checks until September 2020 so that its managers can concentrate on handling the Covid19 outbreak. These security checks usually include submitting data protection and security toolkits (DSPTs) to regulators, who determine organisations’ risk of cyberattacks.

The Risk

Although the decision is fairly understandable given the circumstances (for example, it will reduce some non-essential travel and contact, and allow resources to be allocated towards more time-critical issues in the wake of the pandemic), NHS Digital’s chief executive, Sarah Wilkinson, has warned about “opportunism” by cyber-attackers hoping to take advantage of the Covid-19 pandemic.

As cyber-attackers are known to have targeted several other institutions during this period, including HMRC and the WHO, one might consider that cyber security is even more important now. With the high volume of data, with some data being particularly valuable and/or sensitive, the NHS is far from immune to cyberattacks. In fact, the healthcare sector is one of the worst affected by data breaches.

The WannaCry ransomware attack of May 2017, in which 80 NHS trusts were seriously affected and 19,000 patient appointments were cancelled, brought the NHS’ vulnerability to cyber-attacks to light. This attack cost the NHS an estimated £92 million; the majority of which was spent recovering its IT systems. In the event a similar attack was to take place during the Covid-19 pandemic, the consequences could be economically and socially catastrophic.

Additional requirements

Since the WannaCry attacks, changes to regulatory frameworks placed additional security requirements on organisations providing essential services (OESs), which includes NHS trusts. The NIS Regulations (the “NIS Regulations”), implemented in 2018, focus on the security of OES’s IT systems and include requirements such as implementing technical and organisational measures in information security systems to try to prevent security incidents and impose reporting requirements on OESs in the event of information security incidents and breaches of the NIS Regulations may result in fines of up to £17 million. Furthermore, since many OESs are controllers of personal data, they may be liable under the Data Protection Act 2018 in addition to the NIS Regulations, in the event they fail to sufficiently safeguard personal data, or an information security breach also leads to a data breach. This could result in significant costs in the event liability arises under both regimes. Additionally, there are specific reporting requirements for security breaches under both regimes, responses to which could further stretch scarce NHS resources.

Practical solutions

The NHS’s statement re-confirmed the importance of remaining resilient to cyber-attacks during the period of the Covid-19 response, but whilst OESs are putting its cyber security audit submissions on the backburner, what can practically be done to minimise risks of cyberattacks without overburdening NHS’s management personnel?

With the majority of cyber breaches arising from human error, NHS trusts can send further warnings to staff about safe behaviours online, such as checking recipients, avoiding downloading suspicious attachments and avoiding forwarding suspicious emails to colleagues. Furthermore, NHS trusts can encourage IT departments to ensure systems are updated to deal with new vulnerabilities as they develop. However, NHS trusts should be aware of the potential risks and as well as the fact that the delay in the deadline to submit a DSPT is a temporary reprieve, not a substitute for fully implementing cyber security protections; therefore, where NHS trusts can continue to test and implement cyber security measures without adversely affecting their response to the Covid-19 pandemic, they should do so.

For detailed information about how your organisation can implement effective cybersecurity measures, see our Cybersecurity Toolkit 

  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Nia ThomasNia Thomas

Hayley DavisHayley Davis

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like

  1. Are your offices ready for a post-lockdown return to work?
  2. Preparing for the New Normal | Webinar
  3. Retail reconsidered | KL Stores: a case study series exploring innovation in retail
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Complaints
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon

[contact-form-7 id="4941" title="General contact form"]
close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

[contact-form-7 id="4943" title="Subscribe to future events"]
close
close
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn