Paul Heath, regional director, UK&I Public Sector at McAfee, discusses the requirements of the government’s new data protection framework and the steps health and care organisations can take to meet them.
The cybersecurity risk to healthcare organisations has been realised over the course of the past year, with not only WannaCry disrupting the services at 40 hospitals across 24 NHS Trusts in the UK, but one third of all NHS trusts reporting that they had fallen victim to ransomware attacks in just 18 months. In fact, the Imperial College Healthcare in London indicated that it had suffered 19 attacks in just 12 months.
As a result, it’s perhaps unsurprising that a recent survey of UK healthcare IT found that 1 in 4 are not confident in their organisation’s ability to respond to cyberattacks. But with the cyber threat landscape ever-evolving and the healthcare sector clearly established as a key target for attackers due to the severe risk of sensitive data loss or impacting to patient care if core systems were to go offline, it’s crucial that NHS Trusts ensure a minimum standard of data protection and security.
To help them bring their cybersecurity processes up to scratch, last month, the Department of Health launched ten new data security standards for health and care organisations, based on the recommendations by Dame Fiona Caldicott, the National Data Guardian for Health and Care. Applying to all health and care organisations from April 2018, it is crucial that NHS Trusts and care providers start considering and taking steps to ensure that they will meet the requirements of the new framework.
So, what are these ten new data security standards and what should organisations be doing to meet them?
The new security standards demand culture changes within the organisation about how they approach data security, requiring Senior Level Responsibility. This is crucial for any organisation to make real change in their cybersecurity processes.
Organisations must also meet existing data protection standards, including the Information Governance Toolkit and the General Data Protection Regulation Checklist. This checklist will be published by NHS Digital to help them meet the GDPR’s requirements ahead of its enforcement in May 2018.
Finally, all staff will need to complete annual data security and protection training, including a section on cybersecurity. Back in 2015, McAfee found that 97 per cent of people weren’t able to identify phishing emails. While I hope and expect that awareness will have improved over the past two years, cyber criminals understand that the humans are the weakest point of entry – especially in high-speed, high-pressure environments like in hospitals – so, it is crucial that all employees have a thorough understanding of good cyber behaviour to give their organisation a fighting chance.
Health and care organisations also need to demonstrate that they have the processes in place to respond to immediate cyber threats, as advised by the CareCERT advisories. A primary point of contact must be established within the organisation to receive the bulletins sent out by NHS Digital Data Security Centre and coordinate its response. This response will now need to be provided through CareCERT Collect, within 48 hour in the case of High Severity CareCERT advisories, to show that the plans are in place to act on the information.
Organisations also need to ensure that there is a comprehensive business continuity plan in place for when they do fall victim to data or cybersecurity incidents. In such cases, it is important that staff report any incidents and near misses to CareCERT in line with reporting guidelines.
With 20% of healthcare IT professionals reporting that Windows XP is running on their network, it is little surprise that addressing unsupported systems is a key requirement of the new data security standards. Organisations must identify all unsupported systems – including software, hardware and applications – and put a plan in place that either removes or mitigates these risks by April 2018.
The new security standards also require organisations to undertake on-site data and cyber security assessments, if requested by NHS Digital, and share the outcome and recommendations with the relevant commissioner.
Finally, organisations are now being required to do their due diligence on their IT suppliers to ensure that the company and system provided both have the appropriate certification. From Cyber Essentials certificates, to purchasing services offered through the Government Digital Marketplace, health and care organisations must ensure that IT service providers and their solutions won’t be the weak link that puts their systems and data at risk.
When receiving new cyber and data security standards, such as these, the very tempting route – and the most frequently taken – is to approach it as a checkbox exercise.
However, the new requirements present a fantastic opportunity for health and care organisations to take a step back and reassess their cybersecurity processes. This then will allow the organisation to strategically plan a holistic approach that will help them effectively defend against the rapidly evolving cyber threat landscape.
From new automated services that help reduce the burden on stretched IT professionals, to vendor partnerships ensuring that cybercriminals don’t exploit the gaps between siloed security solutions, much can be gained from revisiting traditional information security plans, processes and deployments.
With the focus on senior leadership responsibility for data security within the organisation, I challenge leaders within health and care organisations to take it one step further and make it their mission. Because only with the right sponsorship from senior leaders can these organisations get on the front foot to deliver a secure service to both health professionals and their patients.