GCHQ granted extended powers to demand data from the NHS during the Covid-19 crisis

The NHS will be obliged to share more data with GCHQ, the UK's intelligence service, after the agency was granted additional powers by health secretary Matt Hancock.

A government document released last week entitled The Consent to Activities Related to the Security of NHS and Public Health Services Digital Systems (Coronavirus) Directions 2020 says that the move is necessary to protect the network and information systems used by the NHS from attackers seeking to take advantage of teh situation.

The new provisions, which expire at the end of this year, extend the scope of the Computer Misuse Act 1990 and say that the NHS and supporting services must "consent to the disclosure, to GCHQ, of any information relating to the security of any network and information system held by or on behalf of the NHS or a public health body during the period ending on 31st December 2020".

A spokesman for the GCHQ's National Cyber Security Centre (NCSC) told the Health Service Journal the measures are part of "our ongoing commitment to protect health services during the coronavirus pandemic," adding: "These directions give us consent to check the security of NHS IT systems."

The spokesman said the directions do not give the agency access to patient data, and that NCSC has "no interest" in obtaining such information.

Commenting on the matter, Irene Ng, CEO of personal data consultancy Dataswift, said that despite these assurances the announcement will likely add to growing privacy concerns around the handling of the Covid-19 crisis, most recently prompted by the NHS's insistence on pursuing a centralised model for its proposed contact tracing app, rather than a decentralised approach favoured by other European countries. GCHQ is involved in the design of the app.

"The debate around these issues tends to focus heavily on whether or not we can trust governments and the NHS with our health data. But these debates often conflate trust with privacy. If there is trust, then should privacy not follow?" she said.

The Covid-19 crisis has seen an upswing in attacks on health services around the world, including ransomware targeted at hospitals. NCSC and the US Cybersecurity and Infrastructure Agency (CISA) put out a joint warning that that cyber crooks and advanced persistent threat (APT) groups are currently using a range of malware and ransomware to target individuals as well as businesses across the UK, US and other countries.