The latest review into the WannaCry ransomware attack and cyber security standards has concluded that “all health and social care organisations can, and should, have strong cyber security measures in place” as the protection of patient data is “fundamental to delivering high quality and safe services”.
Highlighting the complex nature of the health and social care industry, the review, by William Smart, chief information officer for the health and social care system, details that there is no “one-size-fits-all” approach and that organisations’ “response needs to be proportionate to the scale and type of services being provided by each organisation”. The review continues by stating that it is”critical that we [health and social care] maintain trust and confidence in the services we deliver, as information technology becomes ever more integral to the health and social care system”.
The Department of Health and Social Care’s Data Security Leadership Board commissioned the review, which considers NHS internal assessment and national reviews, and details the lessons that can be learned from the 2017 attack. The review makes 22 recommendations to health and social care organisations which, if implemented, can strengthen cyber security defences. These recommendations highlight how organisations can prepare for cyber threats and implement and test response strategies should they suffer a breach.
These recommendations include:
- Recommendation 1: NHS organisations should “develop local action plans to achieve compliance with the Cyber Essentials Plus standard by June 2021, as recommended by the NCSC (National Cyber Security Centre)”. This should form the minimum requirement for all health and social care organisations and can serve to speed up compliance with the Data Security and Protection (DSP) Toolkit. As part of the DSP Toolkit, large organisations will also be required to undertake basic due diligence to ensure that their supply chain meets these minimum required standards.
- Recommendation 5: Organisations should ensure that data security is a board level priority and cyber security risks should be regularly approved by the board. This includes the recommendation that every board should have an executive director as the data security lead. Ensuring buy-in from senior management is also a requirement of the General Data Protection Regulation (GDPR) which comes into effect in May 2018. More information on GDPR compliance is available on the information page.
- Recommendation 8: Business continuity and disaster recovery should “include the necessary detail around response to cyber incidents, and must include a clear assessment of the impact of the loss of these services on other parts of the health and social care system”. The recommendation continues: “[T]hese plans must identify critical third party services […] setting out the impact of the loss of these services on their operations and necessary business continuity actions required to address the loss of such services.” Both cyber incident response and business continuity are vital to operators of essential services. More information on implementing a business continuity management system (BCMS) can be found in the green paper: Business Continuity Management – The nine-step approach.
- Recommendation 13: Annual cyber awareness training should be given to NHS organisations and, while not formally recommended, “all organisations should consider whether access to IT systems and services should be removed from members of staff who have not successfully completed this mandatory training”. Additional guidance on this recommendation suggests that staff should receive regular and targeted information governance awareness training, including “internal phishing attacks to test the awareness of staff to the danger of opening spam email”.
IT Governance offers a range of staff awareness training and vulnerability testing, including phishing simulation. For information on how we can tailor our training services to meet your organisational needs, talk to an expert.
Achieving a strong cyber security posture begins by understanding the gaps in your organisation’s critical risk areas and determining the right actions to close those gaps. A Cyber Health Check can achieve this by identifying your weakest security areas and developing a cost-effective and targeted risk mitigation plan.