Government extends GCHQ powers over NHS IT systems
In April 2020, Government Communications Headquarters (GCHQ) were given access to information relating to the security of NHS networks and information
systems, in order to strengthen the NHS’s cyber defences, amid warnings of a growing trend in COVID-19 themed cyber attacks.
Initially this authorisation, given by former health secretary Matt Hancock, which grants GCHQ powers it did not have previously (under the Computer Misuse Act 1990), was only due to stay in place until the end of 2020, but it was extended to the end of June 2021, and has since been extended again to the end of 2021. The directive, signed by the health secretary, states that during the COVID-19 crisis “the network and information systems held by or on behalf of the NHS in
England, or those bodies which provision public health services in England, must be protected to ensure those systems continue to function to support the
provision of services intended to address Coronavirus”.
The attempt to bolster cyber security during the pandemic allows GCHQ to request information held by or on behalf of the NHS and supports the provision of NHS services related to coronavirus for the purpose of “supporting and maintaining the security of any network and information system”.
The powers also cover networks and information systems which, if their security is impaired, affects the ability of the NHS to provide COVID-19 services. Additionally, whilst there may have been some initial unease about whether the directive authorised the sharing of patient data, or may in future, a spokesperson
from the National Cyber Security Centre (NCSC) confirmed “We have no desire to receive any patient data, and the directions do not seek to authorise this”.