The NHS has been in the news a lot lately (what’s new?), but the topic this time has been cyber security spending.
After a penetration testing company found some unnerving holes in multiple trusts’ security, Sky News used freedom of information requests to ask for the annual cyber security expenditure of a number of NHS trusts.
Seven trusts responded that they had “spent nothing” on cyber security in 2015, and 45 said they were “unable to specify”.
Increasing threat to the NHS
This year has seen multiple instances of cyber attacks on the NHS. Another freedom of information request found that there have been 28 ransomware attacks on hospitals in 2016, four of which are believed to have resulted in data theft.
In October of this year, the North Lincolnshire and Goole (NLG) NHS Foundation Trust had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated while the threat was dealt with.
NHS patient data is very valuable on the black market – in some cases, it’s worth 10 times more than a credit card number.
Patient focus groups have found that the public needs reassurance about data security when data is moving outside the NHS. The National Data Guardian for Health Care’s Data Security Review heard that members of the public would be reassured if organisations were assessed regularly for compliance against standards, if they complied with all legal requirements and if compliance processes were strictly enforced.
The Cyber Essentials certification
Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber attacks, improving cyber security and preserving the reputation of the healthcare industry.
Cyber Essentials certification is an annual certification that demonstrates to patients, suppliers and third parties that data security is being taken seriously, and – by choosing a CREST-accredited certification body like IT Governance – that the cyber security status has been independently verified by a third-party vulnerability scan.
To help companies of any size and with any level of information security competence adopt the Cyber Essentials scheme, IT Governance has developed three packaged solutions to choose from. With the CyberComply online portal, all companies can be in full control of their certification process, assisted by IT Governance’s experienced consultants.