Back to:
NHS GGC

Regulatory and cyber security

Our vision for cyber resilience and vulnerability management is to prevent problems before they happen.

We achieve this through various methods including rigorous procurement that adheres to national standards and frameworks, adherence with NIS (Network and Information Systems) and CRF (Cyber Resilience Framework) regulatory compliance. This ensures we achieve assurance across our security architecture including the suppliers we work with and any system, service, or solution we procure.

Regulatory compliance with NIS/CRF

From 2015, with acknowledgement of increased criticality of information technology for public sector services, we see changing attitudes to public sector cyber risk. Within NHS Scotland, Boards were required to adopt the Information Security Policy Framework (2015) supported by the Centre for Internet Security Controls. The Scottish Government developed the Public Sector Actions Plan and its Cyber Resilience Framework (CRF).

When the Network Information Systems (NIS) Regulations were adopted by Scottish Health in 2019, we were following NHS Scotland’s Information Security Policy Framework (ISPF) 2018. In 2022 in line with NIS requirements we anticipate a move to the CRF which supports pan-public sector comparison.

The NIS is looking at cyber risk beyond the services provided by eHealth. Examples include; human resources, facilities, extending to medical equipment and hardware.

Infographic with the following sections: prevent problems before they happen, NIS/CRF regulatory compliance, proportionate cyber resilience, redundancy and resilience in the cloud, resilience and continuity testing, rigorous procurement standards and assurance