Cyber Security in the NHS

Healthcare organisations have been attacked by cyber criminals seeking to exploit the Covid-19 pandemic, according to security experts in the UK and around the world , with the National Cyber Security Centre  issuing fresh guidance after seeing “large-scale” attacks against national and international health bodies.

By the close of 2019, in a time before the coronavirus pandemic, the cyber security industry witnessed the increasing sophistication of criminal gangs and bad actors.  Today’s cyber criminals are now efficient enterprises with modern business plans out for material gain or to exercise political or ideological goals. 

2020 bought the Novel coronavirus as an everyday reality and to quote Satya Nadella, CEO of Microsoft,  “We have seen two years’ worth of digital transformation in two months”. This provided a whole raft of new opportunities for bad-actors and cyber-criminals as staff transitioned virtually overnight to remote working,  placing strain on existing services often using less secure personally owned devices with fewer controls in place to prevent compromise.

Cyber security can and is affecting patient care, and it isn’t just the responsibility of a few experts who know about computer programming, it is the responsibility of every single person working for our NHS to remain vigilant.

Best practice to prevent cyber attacks

The CARE Standard for Cybersecurity Readiness and Investment¹

Elizabeth Denham, the U.K. Information Commissioner, clarified in July 2019, that the severity of GDPR fines following major breaches is not related to organizations getting hacked or the number of people impacted; there is an expectation that organizations will be hacked. Society may suffer a double standard where it expects digital banks to be perfect, but the regulators do not.

The commissioner clarified that the severity of fines is related to the presence of adequate, reasonable, consistent and effective controls. Gartner believes this to be the best available signal from a regulatory authority for determining how much security you need. This clarification offers the opportunity to define a new standard based on a new way to approach appropriate levels of protection (see Figure 1).

Ultimately, these are value judgements that must be credible and defensible. In these four characteristics are a myriad of opportunities to do what is best for the organization. It supports the creation of a balance between protection and running the business. It also embodies the incentive to build a better security capability that delivers better outcomes, not just spend more money on security.

Cybersecurity Readiness Is a Choice

The purpose of a security program is not to protect the organization, because that is an impossible goal. The purpose of a security program is to balance the need to protect with the need to run the business.

If we can’t protect the organization entirely, what should we do? Cybersecurity readiness is a choice. Create adequate, reasonable, consistent, and effective controls that are credible and defensible with your key stakeholders — your shareholders, regulators and customers — that you are spending the right amount on the right things in security. This, in effect, is what the U.K. Information Commissioner is describing as its standard for setting fines.

^{1 Excerpt from Gartner report Feb 2020}