Cyber threats are a significant challenge for health and social care organisations. The industry experiences the highest number of data breaches annually.
The wealth of data available on NHS networks and the potential impact of data unavailability makes the industry very attractive to cyber criminals. Furthermore, as patient information is often available to a wide scope of personnel, the risk of an accidental breach is also increased. To minimise these risks, healthcare providers need to maintain a robust information security posture and have tried-and-tested plans in place should a breach occur.
Information security is not limited to healthcare providers. All health and social care organisations need to maintain the integrity of their health data, regardless of where it is held or processed. Implementing and demonstrating best practice through internationally recognised certification schemes, as well as prioritising compliance with the EU General Data Protection Regulation (GDPR), serves to maintain your network and information security. It also gives healthcare providers the necessary confidence to award contracts.
With the introduction of the GDPR and the associated fines for non-compliance, cyber and data security have never been higher on board agendas. Planning now for upcoming risks puts your organisation in the best possible position to prevent incidents, or at least reduce the impact should they occur.
GDPR in healthcare
The GDPR superseded the UK Data Protection Act 1998 on 25 May 2018. As a result, health and social care organisations must follow stricter guidelines on the collection, processing and storage of EU residents’ personal data.
IT Governance offers a checklist for organisations at any stage of their GDPR compliance journey. This checklist follows guidance from NHS Digital for both healthcare providers and industry partners.
View the GDPR compliance healthcare checklist >>
Cyber Essentials in healthcare
Devised by the UK government, Cyber Essentials is a world-leading, cost-effective assurance mechanism for information security. The 2016 National Data Guardian review deems it the minimum standard for healthcare providers, allowing them to demonstrate that they have implemented the most basic cyber security controls.
Recent reports recommend that all healthcare organisations – both providers and suppliers – achieve Cyber Essentials Plus certification by 2021, in line with the recommendation of the National Cyber Security Centre (NCSC).
IT Governance offers a range of packages for organisations of all sizes to achieve CREST-accredited certification. More details on the benefits of Cyber Essentials Plus are available on our information page.
Visit the Cyber Essentials Plus healthcare page >>
The Data Security and Protection (DSP) Toolkit
From April 2018, the DSP Toolkit replaced the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations.
The DSP Toolkit applies to all healthcare organisations – both NHS and industry partners – with specific controls, tailored to the size and nature of your organisation.
View the DSP Toolkit information page >>
Directive on security of network and information systems (NIS Directive)
The Directive aims to achieve a high common level of network and information systems security across the EU. As such, it will introduce security measures and incident reporting obligations for operators of essential services (OES) in critical national infrastructure (CNI), including healthcare providers and digital service providers (DSPs).
The Directive aims to achieve a high common level of network and information systems security across the EU. As such, it will introduce security measures and incident reporting obligations for OES in critical national infrastructure (CNI), including healthcare providers and digital service providers (DSPs).
Download the NIS Directive UK compliance guidance >>
Training solutions for healthcare
The past year has seen significant changes to the digital landscape, and both healthcare providers and industry partners need to stay abreast of the challenges these present. IT Governance’s training courses can help develop your in-house capabilities to meet these challenges and plan against current and anticipated threats.
Our trainers are experienced in the challenges and compliance obligations across a wide range of organisations, and can bring healthcare-specific knowledge as well as best-practice insight.
Courses can be delivered at our public training centres, Live Online or as convenient in-house training sessions.
Download the training brochure for health and social care >>
Cyber security and resilience
As cyber threats evolve, the development rate of security solutions cannot always match the pace. Instead of solely focusing on preventing attackers from accessing your network, it is better to assume a breach will occur and plan a strategy that reduces the impact. Cyber resilience brings together cyber security and business continuity to try to prevent breaches and ensure your organisation survives following an incident.
To help protect your network and electronic patient health information (PHI), you need to examine your environment the way a potential attacker would. Penetration testing is essentially a controlled form of hacking in which the ‘’attackers’ operate on your behalf to find the sorts of weaknesses that criminals would exploit.
More information on cyber resilience is available on the information page >>
Healthcare organisations may have technology and procedures in place to prevent data theft, but it is difficult for organisations to find every single security weakness.
To help protect your network and electronic patient health information (PHI), you need to examine your environment the way a potential attacker would. Penetration testing is essentially a controlled form of hacking in which the ‘attackers’ operate on your behalf to find the sorts of weaknesses that criminals would exploit.
More information on penetration testing >>