Cyber should be on every health and care organisation’s business radar
So how can you get business leaders on-board and involved?
For any health and care organisation, security is a perpetual consideration, as IT teams work continuously to safeguard networks, systems, medical devices, data, etc., across multiple disparate locations.
Clinical care delivery is heavily reliant on IT systems. Therefore, any impact on these systems in terms of loss of confidentiality, integrity or availability has a direct impact on delivering safe and effective care.
Lessons of the past
It’s hard to believe that it’s two years since WannaCry. As we all know, the attack had wide-ranging implications, with at least 34% of NHS trusts and over 600 primary care and other organisations affected. As NHS England’s lessons learned review observed, it’s unlikely that we’ll ever know the true extent of its impact, but we do know that many organisations suffered financial and organisational consequences due to:
- Cancelled appointments and operations
- Hiring additional IT support from NHS and/or independent consultants
- Staff working overtime to resolve problems – restoring access to systems, records, etc.
Security breaches will occur; they’re inevitable. The critical issue is how prepared organisations are, and whether they are equipped to respond to such incidents.
Starting with the obvious, an adept and knowledgeable IT team is a must, but delegating processes and procedures to the IT department alone is a mistake. On the contrary, security must span every area of the organisation and this can only happen through executive leadership.
Of the 22 recommendations outlined in NHS England’s lessons learned review, four refer to the role of leaders in security. Take recommendation five, which begins:
“All NHS organisations are to ensure that every board has an Executive Director as data security lead…”
Then there’s Obligation 1 of the NHS 2017/18 Data Security Protection Requirements guidance. Entitled ‘Senior Level Responsibility’, which states:
“There must be a named Senior Executive responsible for data and cyber security in your organisation.”
It’s essential that leaders communicate with IT teams, to ensure they:
- Know which applications and data are the most critical from a business perspective
- Understand why they are so important
- Can implement the right risk mitigation controls.
Leaders must also ensure all staff understand their role in ensuring the integrity of networks, systems, devices and data. And IT departments must reciprocate by articulating in a clear, non-technical way:
- How cyber security breaches can occur e.g. delaying patching, not patching at all, downloading unauthorised software, etc.
- The potential outcomes: loss of confidentiality and integrity, inaccessible clinical systems, reputational damage, potential risk to patients
- The benefits of robust security policies and systems: from business gains, to creating better working environments.
I’ll end by returning to WannaCry and something I said soon after the event. Unfortunately, it’s impossible to prevent every type of attack, so it’s not a matter of if an attack occurs, but when. However, by combining the business knowledge of Executive Leaders and the technical expertise of IT professionals, it is possible to develop a holistic, cohesive security strategy that can safeguard any organisation against damage caused by such events. This approach helps organisations focus on risks that have a real business impact. It also ensures the right controls are in place to reduce those specific risks.
Without this link between an organisation’s IT security and business requirements, security controls will at best manage just part of the risk – but how will you know for certain how effective they really are?
For further information, visit our dedicated Health and Care Security Page, or download our Health and Care Security Advisory Guide, and NHS Cyber Security Challenge. And don’t forget to visit our Health and Care webpage.Tags: