By Andrew Kays, Chief Operating Officer, Socura
It’s been a challenging year for the care sector. But cyber- criminals are not known for their compassion. As more businesses look to technology systems to improve resident care and trim costs in 2021, they may unwittingly expose themselves to an increased risk of cyber- attacks, which could seriously impact the bottom line.
Fortunately, with a few best practice steps, nursing and care home businesses can do a great deal to keep such threats at bay.
PROS AND CONS
There has been an understandable drive to improve sharing of resident information throughout the health and care sector of late. Seamless access to such data through online systems can help with personalised care planning, transfers of care, and even things like checking and dispensing medication. It all adds up to a better service for the residents and more productive staff.
But using internet-facing systems also increases the risk of cyber- thieves getting hold of that data, which can then be sold on to scammers to commit identity fraud. Another emerging risk is ransomware, where a criminal gang may first steal sensitive data before locking you out of your IT systems until a ransom is paid. Such threats aren’t just aimed directly at care home providers—you could also be exposed via any service providers you use. In one 2019 ransomware attack in the US,
110 nursing homes were cut off from accessing resident health records after the IT service provider they shared was hit.
THREATS ARE GROWING
The UK government’s Cyber Security Breaches Survey 2020 reveals that nearly half (46%) of businesses reported a breach or attack over the previous 12 months. Of these, 86% said it involved phishing—where email recipients are targeted with spoofed messages designed to trick them into divulging log-ins or installing malware.
The impact of such attacks can be significant: care and nursing homes not only have to spend time and money to recover from incidents. If the incident is serious, they may even suffer reputational dam- age that impacts business. According to that government report, one in five (19%) businesses that have suffered an incident experienced a “material outcome” leading to loss of money or data. Two-fifths (39%) said they were “negatively impacted”—in other words they were forced to put in place new security measures, divert staff time, or suffered wider business disruption.
A SAFER 2021
Attackers are targeting care homes because of the large amount of sensitive resident data they store, and the fact that businesses in the sector are perceived to have less to spend on cyber-defences. High staff turnover can also make it difficult to create a security-first culture.
Fortunately, there are government-approved best practices that will help a great deal in mitigating cyber risk. Important measures to consider are: staff training in cyber awareness; anti-malware from a reputable provider on all PCs, devices and servers; frequent data back-ups; fire- walls; and updating all your operating systems and software so they’re always on the latest versions. The UK government-backed Cyber
Essentials scheme is a great place to start and should be part of every organisation’s cyber security planning.
Enabling Multi-factor authentication (MFA) is also a key fundamental step to ensure any user who logs in to your online accounts is who they say they are. Enhance this with a best practice “least privilege” access policy, where users are only allowed to access the information they need to do their job and no more—i.e., during vaccinations, a nurse may not need to access all patient data, only the relevant details to administer the jab.
This will all help to reduce your cyber risk exposure. There are also measures recommended by GDPR regulator the Information Commissioner’s Office (ICO), as are data pseudonymisation and encryption to protect sensitive data in the event it is stolen. The ICO also demands that organisations perform Data Protection Impact Assessments (DPIA) to ensure any data processing that is potentially high risk has the appropriate safeguards in place. A DPIA is great way to understand your risk and what measures you have in place to mitigate this risk, giving you the confidence you are doing the right thing.
More advanced still, consider penetration testing to spot any unseen vulnerabilities in your IT environment, and real-time monitoring of net- work traffic to detect suspicious activity. Third-party providers can be helpful here as they have accrued all the necessary expertise in-house, so you don’t have to. A large amount of this activity can be automated, but human analysis is essential to provide extra context and intelligence.
Managed detection and response (MDR) is increasingly being adopted by health and care organisations of all sizes as it provides 24/7 threat detection and response, rapid response to mitigate cyber risk early on, and acts as an extension of your security team.
For more information, visit www.socura.co.uk.