Many of today’s threat actors actively target UK health and social care organisations with cyber attacks, fully aware of the potential to disrupt critical services and endanger human life. The primary motive for carrying out these attacks is money—financial gains come from stealing valuable patient data or shutting down crucial systems and demanding ransoms. NHS Trusts face an important challenge in dealing with an increased cyber risk landscape. This article offers some actionable ways for NHS Trusts to strengthen cyber resilience in health and care.
Use the Data Security and Protection ToolkitThe Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures an organisation’s performance against 10 data security standards defined by the National Data Guardian. It’s mandatory for organisations with access to NHS patient data to submit an assessment using this tool each year.
In using the DSPT, NHS Trusts fall under Category 1, which means the requirements for an assessment are more extensive than other categories of organisation. A few examples of requirements and how they help increase cyber resilience are:
-
Document what personal data you hold, where it came from, who you share it with and what you do with it. It’s critical to track sensitive information assets and the flow of those assets in an organisation. Gaps in data security measures can easily emerge when you don’t have comprehensive visibility over your information assets and how they’re being used.
-
There is a data protection and security induction in place for all new entrants to the organisation. Given that employee error is a major risk factor that increases the likelihood of cyber attacks being successful, it’s imperative that new staff members receive an effective induction that highlights key data protection measures for health and care along with the most salient security risks.
-
Users in your organisation are only given the minimum access to sensitive information or systems necessary for their role. This requirement reflects a recognition that least privilege access principles are an effective mechanism for reducing the attack surface that malicious actors can potentially use to access sensitive information or critical systems.
Check this resource for the full requirements for the 2022-2023 DSPT.
Follow the What Good Looks Like Framework
What Good Looks Like (WGLL) is a framework directed at NHS leaders that helps ensure health and care providers have a strong foundation in digital practice. The framework is for integrated care systems (ICS) in which local authorities and third sector bodies work with NHS organisations to take responsibility for the health and care services in a given area or 'system'. NHS Trusts play a part in the collaborative effort that each ICS aims to achieve in planning and improving health and care.
WGLL sets out success measures for effective digital transformation. While this scope obviously encompasses far more than just cyber security, there are some useful guidelines about what good looks like when it comes to cyber resilience, including:
Support all staff to attain a basic level of cyber security literacy, followed by continuing professional development.
Under the 4th measure of success, organisations support workforces so they can work optimally with data and technology. Many of today’s data breaches begin by targeting employees with social engineering tactics, and a basic level of cyber literacy helps thwart those efforts. The emphasis on continuing development is also poignant given that people are apt to forget what they’ve learned over time. Cybersecurity training should be ongoing if it’s to remain effective and truly strengthen cyber resilience in health and care.
Make sure that all projects, programmes and services meet the Technology Code of Practice and are cyber secure by design.
The Technology Code of Practice is a guide that establishes criteria for how the UK government should design, build and buy technology. Point six of the guide focuses on making things secure and it elaborates on several useful practices for cloud infrastructure and services, such as:
- Encrypting data
- Using two-factor authentication
- Timely patching
- Fine-grained access control
These are all prudent practices that can enhance cyber resilience in health and care (and other organisations). It’s also worth noting the “secure by design” recommendation—when procuring or developing any software or system in health and care, ensure security is baked in at the foundational level of design rather than tacked on at later stages.
Comply with Relevant Data Protection Standards
Data protection standards set in place the minimum requirements for safeguarding personal or otherwise sensitive information against compromise or loss while also protecting individual privacy. Compliance with relevant standards is clearly important for legal reasons, but even above such considerations, compliance ultimately protects patient data.
The UK data protection standards that cover how to properly secure and process patient data are the Data Protection Act (DPA) and the Common Law Duty of Confidentiality (CLDC).
The CLDC is a law that essentially says personal information shared with an organisation can’t be disclosed without that person’s explicit consent unless there is a valid legal basis to do so. This law is less related to specific security rules and more about consent. However, it’s clear that implementing encryption is one way to protect against any disclosure.
The sixth principle of data protection under the DPA states that personal data must be processed in a manner that includes taking appropriate technical or organisational measures as regards to the risks that arise from that processing. While this seems quite a vague requirement, the important point is that it mandates appropriate security measures, which include “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.
Test and Improve Cyber Incident Response
The ability to effectively respond to cyber security incidents is a pivotal part of strengthening cyber resilience. The importance of swift incident response and efficient containment becomes even more pronounced in health and care, where cyber attacks can result in the compromise of sensitive patient data or outages in crucial operational technology that staff depend on to treat patients.
Ongoing efforts should be made to improve incident response at NHS Trusts. Slow response times provide malicious actors with more time to steal data, install backdoors that guarantee future access, and/or wipe evidence of their intrusion or activities in your environment. Strategies for improvement should involve benchmarking performance using industry surveys and collecting response time metrics for each cyber incident. Also, test your incident response plan and refine it based on any bottlenecks (e.g. false positive security alerts or ineffective triaging of alerts).
Understand Cyber Maturity and Where You Are
Cyber maturity refers to the different levels of abilities and readiness that organisations demonstrate in terms of their ability to successfully mitigate cyber risks. A defining characteristic that marks high levels of cyber maturity is cyber security being baked into the organisation’s culture rather than being deemed as a necessary evil or as something to potentially integrate better into an organisation. The more mature an organisation is, the better its cyber resilience.
Relevant standards in this area in include the NCSC Cyber Assessment Framework and CIS Critical Security Controls Implementation Groups.
Cyber maturity is more of a journey than a destination because there are always ways to improve. It’s also not exactly straightforward to assess current cyber maturity levels and develop a roadmap for improvement from a subjective perspective. Partnering with a cyber security consultancy or managed service can provide a fresh view and ensure that NHS Trusts understand their cyber maturity and make changes that strengthen resilience in health and care.
%20(1).png?width=290&name=Team%20(5)%20(1).png)
COMMENTS