By Daniel Casson, Care England’s Digital Transformation Adviser | March 23, 2022
There is general heightened awareness of the threat of cyber-attacks in the wake of Russia’s invasion of Ukraine, and care providers are not immune to the potential for disruption.
Daniel Casson, Care England’s Digital Transformation Adviser, gives instruction on how providers can protect themselves and their data.
While many care providers feel that they may not be specifically targeted, it is important to note that many attacks on organisations are not due to what or who they are. Rather, any organisation is vulnerable because of the links they have to the wider world – to banks, legal firms, local authorities and the NHS for example. So beware.
In late February the National Cybersecurity Centre (NCSC), Britain’s cybersecurity agency, released a briefing which is summarised in the following statement:
“While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber-attacks on Ukraine with international consequences.”
5 steps to counter the increased potential for cyber disruption
The Data Security and Protection Toolkit (DSPT)
We are lucky in care that there is a ready-made tool for us to benefit from. The Data Security and Protection Toolkit (DSPT) has become an increasingly relevant tool in the armoury of cyber awareness.
The attraction of publishing the DSPT is not only that it helps your cyber security, but it is also a gateway to co-operation, co-ordination and integration with many health service partners, and is a prerequisite for accessing NHSmail.
Now more than ever I urge care organisations to ensure they publish the DSPT to ‘Standards Met’, because it will give you a good cybersecurity base. And, if you have changed your IT systems or developed new services, don’t forget to review your DSPT to ensure you’ve thought through the implications of any changes.
Much work has been done over the past couple of years to make it user-friendly for care providers, and I cannot counsel strongly enough that it should form the basis of your cyber security planning.
Now is the time to check with any digital suppliers you use that they are keeping up to speed with emerging cyber threats, such as the Russia/Ukraine situation and the Log4J vulnerability, and taking appropriate actions to protect the systems you use.
For ease of reference, you can direct them to the NCSC website, which has information on Log4J and guidance for all UK organisations regarding the war in Ukraine.
Cyber security business continuity plan
Do you have a cyber security business continuity plan in place? It can be daunting to think the unthinkable, and that is why there are resources out there specifically for care organisations. If you haven’t got a plan in place, I strongly urge you to start thinking about it now.
The good news is there is a template for you to work with. The business continuity template and guidance produced by Digital Social Care is a great start and gives you a plan to cover data and cyber security. It also makes suggestions as to how you can test your plan to see if it will work in practice. Do note that a form of business continuity plan for data and cyber security is necessary to successfully publish the DSPT.
If you already have a plan in place, talk about it with key staff members, review it and test it.
Back up your data regularly
You are always at risk of having your stored data damaged, deleted, stolen, or held to ransom, so it is important to back up your most important data. The backup should be to somewhere separate from your computer such as a secure external hard drive or cloud-based storage system.
Two documents I advise you to refer to are Digital Social Care’s guidance on data back up and the NCSC’s backups in an online world. Of the five tips for backing up your data as listed by the NCSC, the most important one for me is that once you have the back-up systems in place, make backing up part of your daily routine.
Create a Cyber aware culture
Cybersecurity is a way of thinking and working. If you talk about it at team meetings, mention it in progress reviews and make people aware that cyber security is an issue for all of us, then you stand a better chance of combatting any potential disruption.
As we take on more digital tools, the potential for disruption grows, and so people in all parts of your organisation need to be cyber aware, so make it an everyday subject of conversation.
If you need more help
There is help out there for any care organisation. I am lucky to be doing some work with the team at the Better Security, Better Care programme. Any care provider in England can access free cyber security support from the programme, and there is a really useful system of Local Support Organisations.
If you are concerned that your local authority partners need to know more about cyber risk, please refer them to The Local Government Association’s guidance and the LGA Cyber 360 programme.
Protecting our data – and our relationships
Over the past two years, we in social care have consolidated our role in the health and care system as trusted partners for our colleagues in health services. It is important to retain that trust, so it is in our interest to show that we are prepared for a cybersecurity threat. I urge you to put the necessary systems and culture in place, so you can retain your cyber integrity.