Defending Health and Social Care from Cyber Attacks

The National Cyber Security Centre (NCSC) recently calculated that Health and Social Care is the 5th biggest sector attacked by cyber-criminals in the UK. Recent instances, such as the cyber attack on the University of Manchester which led to over one million NHS patients’ data compromised, further proves the case for enhanced security measures.

Such attacks on businesses cause enormous disruption but in the case of care businesses the consequences can be life threatening. The inability of a carer to access a service user’s data can have a huge impact on missed medication or missed care provision – it can rapidly escalate to a safe-guarding situation. Particularly in the case of direct care information, where data privacy and security is so crucial, cyber attacks will likely always remain a risk. It is essential that healthcare and health tech software providers continuously monitor, update, and improve their technology to ensure that a breach does not occur.

What measures must be taken?

There are several measures home care agencies can take to help combat being victims of cyber attacks. Picking a suitable software solution is a key element in mitigating any potential cyber attacks, particularly if they’re hosting your data, but remember that they’re a black box. You don’t know exactly what’s going on past your interactions with the application.

There are security standards available which can give you reassurance that a provider is operating in a secure manner. The NHS Data Security and Protection Toolkit (NHS DSPT) is a great place to start; it’s a self-assessment programme largely based on the ISO27001 standards and has special affordances for healthcare.

Digital Social Care recommends being NHS DSPT compliant to all CQC registered care providers, and it’s a requirement if you deliver services under an NHS contract. They have great advice and guidance for meeting the standards and becoming conformant.

However, many may dismiss these as only being applicable to technology companies. The truth is that cyber security incidents can occur at any step in the process, whether it’s a virus spread via email, sending sensitive information to the wrong individual, or someone managing to get physical access to your computer.

As general advice, good cyber security practices stem from a defensive way of thinking, posing questions such as: “can this email be trusted?”; “could my password be easily guessed if someone knows me?”; “who else could possibly use my computer?”.

Protecting client data

When it comes to ensuring that customers’ data is secure, there should be numerous measures in place. I could speak at length on the many different systems to have in place, but I’ll try not to get carried away.

Naturally, any software provider must encourage good security practices through the platform itself, such as data encryption both in-transit and at-rest, multi-factor authentication, and a comprehensive role based access control system to provide additional restrictions to the viewing and modification of data by authorised users.

The provider should take on the responsibility of securing the platform for customers, so they don’t have to worry about managing their own servers, or engaging with a third party IT company to do it for them. Any trustworthy software provider will take care of firewalls, intrusion detection, and encryption, as well as protections and mitigations against many other common attack vectors.

All databases should have point-in-time-recovery enabled, which differs slightly to conventional nightly backups. It allows the provider to restore to any point in time within the backup retention period. Backups must all be replicated to multiple locations, and secured by different credentials.

Services should also have a failover mechanism, where if there’s an issue with the underlying server, the provider can switch to a stand-by instance that has a full copy of the data. Employing proactive vulnerability testing, as well as periodic penetration testing, can be helpful in scanning for emerging threats.

And lastly, have a plan. All software providers should implement a comprehensive disaster recovery plan which covers backups and restoration, and is regularly tested so that in the event of an issue, you can be confident on what actions to take in order to mitigate the fallout.

These measures can minimise the impact of a data breach and ensure a swift recovery without compromising client data.

Dec Norton, Director of Development, CareLineLive