The high-profile ransomware attack on a major IT provider to the healthcare sector, Advanced, in August 2022 highlights a fast-growing risk to health care organisations – and independent consultants and GPs – and the need for greater focus on cyber security. Aoife Ryan reports.
Be warned – it is not just the NHS at risk from cyber-attacks.
The attack on IT provider Advanced last year affected a number of systems used by the independent health and care sector, including Carenotes and Crosscare.
And it had a severe impact both financially and in terms of clinical risk as access to medical notes were lost for a significant period of time.
Unfortunately, this attack was not a one-off and the healthcare sector globally appears to be one of the most targeted by cyber criminals.
The sector’s reliance on technology to create, store, manage and transmit sensitive patient data generates particular IT risks that threaten the operational resilience, performance and stability of the organisations that rely on it.
In response, both the US and EU are putting in place enhanced cyber security regulation requirements for businesses, including by requiring boards to take a proactive approach to managing cybersecurity risks rather than waiting to manage cyber incidents when they occur.
As I write, the UK is yet to clarify how it will implement the outcome of its consultation on proposals to improve the UK’s cyber resilience, although it has recently published a cyber security strategy for health and adult social care which sets out a plan to promote cyber resilience across the sector by 2030.
This does reference the wider independent health and care sector as well as the NHS. The Department for Science, Innovation and Technology’s cyber resilience policy defines cyber resilience as ‘the ability for organisations to prepare for, respond to and recover from cyber-attacks and security breaches’.
For health and social care, this means preventing, mitigating and recovering quickly from any cyber incident that may impact on the sector’s ability to provide continued care.
So what can you do?
In the UK, fewer that one-in-five businesses have a formal incident management plan for cyber security incidents, but have rather placed their focus on business continuity. But surely prevention is better than cure?
It is often a lack of understanding and expertise which result in a business failing to put in place preventative measures, hoping that ‘it will never happen’ and ignoring the risk or relying on the purchase of cyber insurance.
However, the increasing regularity with which businesses are experiencing both phishing attacks and malware is surely evidence of the increasing need for active cyber defence (ACD).
There are a number of key basic elements which a business, including a healthcare business, should always have in place to mitigate cyber risk:
All businesses should take regular back-ups, ideally daily, of their important business critical data to ensure they are recent and can be restored. If you can recover your data quickly, you are less likely to be impacted by a ransomware attack.
You should ensure back-ups are kept separate from your main system so they can’t be accessed if that system is compromised.Cloud storage may be the preferred option in this situation.
An anti-virus software should be installed and, most importantly, kept up to date and measures put in place to ensure staff can only download apps from approved and reputable sources.
Staff access to systems should be controlled by two-factor authentication and staff should be advised that all IT equipment must be kept up to date with manufacturers’ software updates.
Strict controls should be put in place around the use of memory cards and USBs, as these can be a conduit for malware and viruses. There should always be a firewall in place between your network and external systems.
As new technology is developed, it can be challenging to monitor and replace older technology as it becomes outdated and more vulnerable to cyber-attacks.
Businesses need to keep ahead of outdated technology through maintenance and replacement.
Finally, it is worth reviewing your organisation’s contracts with its IT suppliers to see what level of protection they are offering, both in terms of contractual protections such as ‘warranties’ designed to guarantee the cyber security of their products and what they commit to do if a cyber-attack does happen.
It can be difficult for smaller providers to negotiate effectively with large IT providers, but nevertheless these contractual issues are worth exploring.
Training should be provided to staff to allow them to identify and avoid phishing attacks, at all levels of the business, recognising that certain areas are most vulnerable, including front of house and first point of contact.
Ensure staff are trained and signposted on how to deal with unusual requests and can identify what a phishing email may look like and how to report any suspicious activity.
Staff should be told that it is a responsibility of all individuals within the business and not just for the board or line managers.
‘Board level’ management of and engagement with risk in this area will nonetheless be key.
Bosses will need to ensure that they have meaningful information at a sufficient level of detail to allow them to properly assess the risks to their particular business.
They will want to ensure that there is clarity as to exactly who is responsible for particular cyber security provisions and that risks and issues are reported up to them with sufficient regularity.
For example, are processes designed so that cyber risk is integrated with business risk and the organisation has a holistic approach to risk management.
Staff need to be trained to identify and report risks and understand the importance of cyber security measures and what they mean for the organisation.
Clear and visible management commitment to the issue will be a valuable tool in ensuring compliance with policies and procedures.
Within the relevant risk assessments, there should be clarity as to the potential motivations behind cyber attacks and likely targets within the organisation. Systems should be kept under review and tested by the IT to ensure defensive measures remain effective.
Because cyber attackers can often access email systems and impersonate senior management, all staff should be aware of procedures and protocols and be primed to identify and report unusual requests or instructions.
Many organisations now have embedded tools which permit quick and easy reporting of suspicious emails to the IT team on a ‘one-click’ basis.
Staff should be able to report issues without fear of criticism or reprisals and sufficient resource should be allocated to maintain appropriate levels of compliance.
There are a number of obvious benefits to mitigating cyber risk, one of the key elements being to manage regulatory risk.
A cyber-attack places a business at risk of not only financial loss but also regulatory enforcement if significant failings are identified.
The General Data Protection Regulation (GDPR) and UKGDPR place parallel obligations upon businesses to ensure that data is processed securely by means of ‘appropriate technical and organisational measures’ taking into account the current state of available technology’.
There is no mandatory guidance to provide a framework for action, but rather the expectation that the risk will be assessed and appropriate control measures will be put in place to mitigate those risks.
Onus on business
This approach, often described as ‘outcomes-focused regulation’, places the onus upon business to prevent negative outcomes against a constantly shifting threat landscape.
Obvious parallels can be drawn with the analysis set out above, showing that sensible and proportionate measures which manage cyber risk serve equally to manage regulatory risk.
One effective step that can be taken is for organisations to engage with the National Cyber Security Centre’s (NCSC) Cyber Essentials programme, an ‘effective Government-backed scheme’ designed to protect organisations against a range of the most common cyber-attacks.
It gives the added assurance that the measures it recommends are supported by the most up-to-date threat assessment and government-backed intelligence, given the NCSC’s position as part of The Government Communications Headquarters (GCHQ).
In addition to the requirements imposed by GDPR/UKGDPR, a business should take note, in assessing their regulatory risk, of the regulatory regime under Network Information Security Regulations (NIS).
At present, enforcement action under NIS has been limited. However, significant changes are planned by the UK government to both expand the remit of the legislation and to strengthen the UK’s cyber security provisions.
These amendments, once in place, are likely to increase the scope and appetite for regulatory enforcement in this space.
Anecdotally, the NCSC has particular concerns around the security provisions of managed service providers, which will be brought within the scope of the revised regulations, and the potential for them to be used as a ‘back door’ into the businesses they provide services to.
Taken together, all of the above risk factors and mitigations will need to be on the radar of healthcare businesses, who should be proactively monitoring the risk environment and ensuring that sufficient resources are committed.
Senior management endorsement of the importance of these issues, cascaded down through the whole organisation, appropriate policies and procedures alongside education and training will be key.
A successful risk management programme combined with employee engagement as the front line is the best line of defence.
Aoife Ryan (right) is legal director at Hill Dickinson, and able to provide further support should you have any questions regarding cyber security in your organisation. Contact her here.