Regulatory and cyber security
Our vision for cyber resilience and vulnerability management is to prevent problems before they happen.
We achieve this through various methods including rigorous procurement that adheres to national standards and frameworks, adherence with NIS (Network and Information Systems) and CRF (Cyber Resilience Framework) regulatory compliance. This ensures we achieve assurance across our security architecture including the suppliers we work with and any system, service, or solution we procure.
Regulatory compliance with NIS/CRF
From 2015, with acknowledgement of increased criticality of information technology for public sector services, we see changing attitudes to public sector cyber risk. Within NHS Scotland, Boards were required to adopt the Information Security Policy Framework (2015) supported by the Centre for Internet Security Controls. The Scottish Government developed the Public Sector Actions Plan and its Cyber Resilience Framework (CRF).
When the Network Information Systems (NIS) Regulations were adopted by Scottish Health in 2019, we were following NHS Scotland’s Information Security Policy Framework (ISPF) 2018. In 2022 in line with NIS requirements we anticipate a move to the CRF which supports pan-public sector comparison.
The NIS is looking at cyber risk beyond the services provided by eHealth. Examples include; human resources, facilities, extending to medical equipment and hardware.