The CAF checklist: are NHS trusts ready for new cybersecurity rules?

From June, NHS England trusts will be required to follow a new set of cybersecurity guidelines based on the National Cyber Security Centre’s advanced Cyber Assessment Framework (CAF). The Department of Health and Social Care’s aim is to move NHS England from baseline cybersecurity to a more robust strategy for future resilience.

But timelines are tight, with the changes only being announced in September 2024 and compliance required by 30 June 2025. If trusts do not comply in a timely manner, they will face reputational damage and could lose out on potential cybersecurity funding in the future. Complying well before the deadline, on the other hand, will give them an opportunity to become a cybersecurity leader within the NHS, and a valuable resource for other trusts to look to.

Here we look at the actions trusts should be taking immediately to prepare themselves for CAF adoption.

What is CAF?

CAF is not designed to replace any existing frameworks. Instead, it should be integrated alongside existing policies and controls to enhance a trust’s security profile.

The framework takes a holistic approach to cybersecurity and consists of five key pillars covering the entire gauntlet of security:

• Governance: Establishing clear policies, roles, and risk management processes. Trusts must now provide detailed evidence of systems testing, risk mitigation plans and supply chain security assessments.
• Protection: Ensuring the confidentiality, integrity, and availability of systems and data. This includes technical controls like network segmentation, encryption and multifactor authentication.
• Detect and Respond: Implementing robust monitoring and incident response mechanisms. This includes organisational measures like response planning and technical measures like threat detection systems.
• Resilience: Maintaining operational continuity during and after cyber incidents, including having strong recovery capabilities in place
• Legislation: Ensuring that information is used and shared lawfully and appropriately.

This means that achieving compliance will require trusts to think through every single aspect of their cybersecurity infrastructure.

Where to start with CAF

The first thing trusts need to do is perform a check-up on their existing cyber resilience. They can then determine how much they already align with CAF’s pillars. The starting point should be to assess whether they are following these key principles:

• Document all data: Trusts should be documenting all personal data they hold – including where it came from, who it is shared with and what is done with it. Gaps in data security measures can easily emerge without comprehensive visibility over information assets and how they’re being used.
• Support staff in cyber security literacy: Trusts should ensure there is a data protection and security induction in place for all new entrants to the organisation, plus a programme for continued professional development. Even a basic level of cyber security literacy can help thwart common attack tactics like social engineering.
• All technologies must be ‘secure by design’: When procuring or developing any software or system for use in healthcare, ensure security is baked in at the foundational level of design rather than tacked on at later stages. Recommended practices include encrypting data, using two-factor authentication, timely patching, and fine-grained access control.
• Test and improve cyber incident response: Trusts should be constantly testing and refining their incident response plans. With patient lives on the line, it’s vital that they are able to respond to any security incidents rapidly. Strategies for improvement should involve benchmarking performance using industry surveys and collecting response time metrics for each cyber incident.

Strategies for adoption

Once trusts are confident they have a strong baseline to work from, they must turn their attention to meeting CAF’s requirements.

CAF is an extensive framework, and no doubt teams will have many questions about how it functions and how best to achieve each of its objectives. Managers should be actively encouraging their whole organisation to question the process in this way from the start, since this will actively promote the culture of security that is so critical to CAF. They don’t have to provide answers right away, but these questions will be helpful in guiding implementation going forward.

Trusts also need to be honest when completing their initial CAF compliance self-assessments. Trusts might feel under pressure to make the assessments appear as positive as possible, but while a negative self-assessment can be painful, it is vital to be honest about where they stand on cyber resilience so that they can identify the correct problems early on and have the proper context within which to address them.

Likewise, trusts should not expect to become cybersecurity experts overnight – nor do they have the resources to hire significant numbers of new cybersecurity staff. In the early stages of building resilience, it will be vital to work with third-party organisations who specialise in this area and can rapidly get to grips with more advanced cybersecurity requirements.

Change is possible

If NHS trusts are to fully comply with CAF, there will be much more work to do. But from the start, they need to be honest about their current cybersecurity capabilities and engage with the entire organisation to identify pain points. This will enable trusts to quickly build momentum for improvements, and allow them to bring in security partners to focus on more advanced requirements.

Always remember: cyber maturity is a journey rather than a destination. Attacks will continue to evolve, and there will always be ways to improve resilience. CAF can only be a positive thing for the NHS, and trusts should be embracing the framework enthusiastically. This is a golden opportunity to reset their cyber security compliance and lead the way in protecting patient data from advanced attacks.