Cyber threats are a significant challenge for health and social care organisations. The industry experiences the highest number of data breaches annually. The wealth of data available on NHS networks and the potential impact of data unavailability makes the industry very attractive to cyber criminals. Furthermore, as patient information is often available to a wide scope of personnel, the risk of an accidental breach is also increased. To minimise these risks, healthcare providers need to maintain a robust information security posture and have tried-and-tested plans in place should a breach occur.
Information security is not limited to healthcare providers. All health and social care organisations need to maintain the integrity of their health data, regardless of where it is held or processed. Implementing and demonstrating best practice through internationally recognised certification schemes, as well as prioritising compliance with the EU General Data Protection Regulation (GDPR), serves to maintain your network and information security. It also gives healthcare providers the necessary confidence to award contracts.
With the introduction of the GDPR and the associated fines for non-compliance, cyber and data security have never been higher on board agendas. Planning now for upcoming risks puts your organisation in the best possible position to prevent incidents, or at least reduce the impact should they occur.
GDPR in healthcare
The GDPR will apply from 25 May 2018. As a result, health and social care organisations will have to follow stricter guidelines on the collection, processing and storage of individuals’ data.
IT Governance offers a checklist for organisations at any stage of their GDPR implementation journey. This checklist follows guidance from NHS Digital for both healthcare providers and industry partners.
View the GDPR compliance healthcare checklist >>
Cyber Essentials in healthcare
Devised by the UK government, Cyber Essentials (CE) is a world-leading, cost-effective assurance mechanism for information security. The 2016 National Data Guardian review deems it to be the minimum standard for healthcare providers, allowing them to demonstrate that they have implemented the most basic cyber security controls.
Recent reports recommend that all healthcare organisations, both providers and suppliers, achieve Cyber Essentials Plus (CE+) certification by 2021, in line with the recommendation of the National Cyber Security Centre (NCSC).
IT Governance offers a range of packages for organisations of all sizes to achieve CREST-accredited certification. More details on the benefits of CE+ to healthcare organisations is available on our information page.
Visit the CE+ healthcare page >>
The Data Security and Protection (DSP) Toolkit
From April 2018, the DSP Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations.
The DSP Toolkit will apply to all healthcare organisations – both NHS and industry partners – with specific controls, tailored to the size and nature of your organisation.
The prototype DSP Toolkit is now live, with further guidance on its requirements available.
View the DSP Toolkit information page for more details >>
For advice on getting a head start to DSP Toolkit compliance, speak to one of our healthcare experts.
The Directive on Security of Network and Information Systems (NIS Directive)
The NIS Directive was adopted by the European Parliament on 6 July 2016, and entered into force in August 2016. EU member states have until 9 May 2018 to transpose it into national laws, and a further six months to identify the operators of essential services (OES) to which it applies.
The Directive aims to achieve a high common level of network and information systems security across the EU. As such, it will introduce security measures and incident reporting obligations for OES in critical national infrastructure (CNI), including healthcare providers and digital service providers (DSPs).
Download the NIS Directive UK compliance guide >>
Training solutions for healthcare
The past year has seen significant changes to the digital landscape, and both healthcare providers and industry partners need to stay abreast of the challenges these present. IT Governance’s training courses can help to develop your in-house capabilities to meet these challenges and plan against current and anticipated threats.
Our trainers are experienced in the challenges and compliance obligations across a wide range of organisations, and can bring healthcare-specific knowledge as well as best-practice insight.
Courses can be delivered at our public training centres, live online or as convenient in-house training sessions.
View our full range of courses and book onto your course now >>
Cyber security and resilience
As cyber threats evolve, the development rate of security solutions cannot always match the pace. Instead of solely focusing on preventing attackers from accessing your network, it is better to assume a breach will occur and plan a strategy that reduces the impact. Cyber resilience brings together cyber security and business continuity to try and prevent breaches and ensure your organisation survives following an incident.
Its comprehensive approach to information security and business continuity means that a best-practice information security management system (ISMS) and business continuity management system (BCMS) can help. Their respective international standards, ISO 27001 and ISO 22301, are recommended as guidance for complying with cyber and data security requirements and legislation.
More information on cyber resilience is available on the information page >>
Healthcare organisations may have technology and procedures in place to prevent data theft, but it is difficult for organisations to find every single security weakness.
To help protect your network and electronic patient health information (PHI), you need to examine your environment the way a potential attacker would. Penetration testing is essentially a controlled form of hacking in which the ‘attackers’ operate on your behalf to find the sorts of weaknesses that criminals would exploit.
More information on penetration testing >>
Our one-stop shop provides solutions for the most common challenges facing healthcare organisations that are looking to:
- Achieve and maintain a secure information infrastructure; and
- Demonstrate regulatory compliance and certification.
Discover our healthcare products >>
Download our free resources
IT Governance solutions
IT Governance has the expertise and experience to help you confidently navigate these challenges. We offer a comprehensive range of risk management, IT governance and compliance services to organisations operating in the healthcare sector.
Get in touch today for further information, or to speak to an expert.