Cybersecurity Risks For The Residential and Nursing Care Sector

By Jack Shreeve, Associate in the Commercial & Technology Team at Birketts LLP (www.birketts.co.uk)

The residential and nursing care sector is susceptible to cybersecurity risks like any other business sector. The sector is commonly targeted by hackers due to the nature of the data that it holds and the potential value to hackers.

Below are some of the key cybersecurity risks facing the sector and some high-level recommendations as to how care providers can seek to mitigate such risks in its contracts with IT providers.

1. Ransomware. An example of a ransomware attack is the recent Synnovis breach. In June 2024, the NHS was the victim of a major cybersecurity incident with London NHS hospitals needing to cancel or change appointments resulting in a “critical incident”. In this case, the incident was caused by hackers targeting Synnovis by implementing software into Synnovis’ IT environment (which was being used by the NHS). We are increasingly putting emphasis on contractual provisions requiring suppliers to have robust disaster recovery procedures in place in the event of such an incident allowing systems to be brought back online in the event of an outage.

2. Internet of Medical Things (IoMT). The sector is becoming increasingly reliant on IoMT devices which are connected to the internet. These devices are susceptible to cybersecurity attacks. To mitigate this risk, we typically ask for contractual provisions imposing obligations on providers to continuously monitor for vulnerabilities and implement patches in a timely manner where vulnerabilities are identified.

3. Data protection. If a cybersecurity incident results in the loss or dissemination of personal data, a care provider could face considerable implications from the Information Commissioner’s Office (ICO). The full range of potential implications are beyond the scope of this publication, but care providers should bear in mind that for the most serious of personal data breaches, the ICO can issue fines of up to £17,500,000 or 4% of the company’s annual worldwide turnover. Appropriate data processing agreements should be put in place with adequate liability provisions to provide the care provider with an effective remedy in the event of a breach.

4. Composition of software. The use of open-source software in the underlying code for software should be carefully considered. As shown by the Log4j vulnerability, open-source software can be exploited for vulnerabilities with widespread impacts. We typically ask for a warranty that the software being licenced does not contain open-source software. This typically results in: (a) the provider confirming the extent of the open-source software in the code; or (b) the provider giving the warranty. If open-source software is used, this would allow for the care provider’s IT team to check for any known vulnerabilities and/or restrictive open-source software code.

5. Phishing. Phishing attacks, where attackers trick individuals into providing sensitive information, are common in a care provider setting. These attacks often target employees through emails that appear to be from trusted sources, leading to data breaches and unauthorised access. These risks can be mitigated by documenting access controls on the information that employees can access, audit rights in respect of IT providers and insisting on IT providers implementing multi-factor authentication.

Industry standards that apply to a client’s business can be a useful tool for imposing security measures on providers. For example, the NHS Data Security and Protection Toolkit provides a framework for assessing data security and protection measures within NHS organisations. Compliance with the toolkit is mandatory for all NHS entities. This could be referred to in the contract with the provider as the minimum expected of the IT provider.

Our advice is that care providers can seek to mitigate cybersecurity risks by:
a. ensuring that detailed due diligence is carried out in respect of IT providers (to properly vet that the provider has the relevant accreditations and certifications in place (such as Cyber Essentials and ISO accreditation); and
b. putting in place contracts which properly allocate risk between the parties and in the event of a breach, provide the customer with an effective remedy.