Cybersecurity, data protection, e-safety and ransomware are all terms that we have become very familiar with – as they say, ‘The threat is real’. Paul Heath, regional director, UK&I Public Sector at McAfee, discusses the requirements of the government’s new data protection regulations and the steps GP practices can take to meet them
The past year has seen a massive awakening in consciousness around the scale of the cybersecurity threat to healthcare. In May, WannaCry took out large swaths of the NHS, forcing at least 6,900 NHS appointments to be cancelled, while one third of all NHS trusts reported that they had fallen victim to a ransomware attack over the past 18 months.
It’s not, therefore, surprising that a recent survey found that one in four UK healthcare IT professionals aren’t confident in their organisation’s ability to respond to cyberattacks and, with the massive threat of sensitive data loss or disruption to patient services, it is clear that all healthcare organisations must ensure that minimum data protection and security standards are maintained.
This was the motivation of the Department of Health when recently launching a framework of ten new data security standards for health and care organisations, based on the recommendations of the National Data Guardian for Health and Care, Dame Fiona Caldicott. Requiring all health and care organisations to comply by April 2018, all GP practices must start taking steps to ensure they will meet the new framework’s requirements.
So, what are the new security standards and what should GP practices be doing to meet them?
Practice managers must ensure they’re engaging with the cybersecurity threat; the new requirements necessitate ‘senior level responsibility’. This senior sponsorship will be important when engaging all stakeholders across the practice in meeting the existing data protection requirements – the Information Governance Toolkit and the General Data Protection Regulation Checklist – both of which are cited within the new data security standards.
All employees will also need to take annual data security and protection training. When considering that research has found that over 90% of all cyberattacks are executed with information that is stolen from employees who have unwittingly given away their ID and access details to hackers, it is clear that providing guidance in the basics of good cyber behaviour is essential if organisations are to have a fighting chance.
GP Practices will also need to show that the processes are in place to respond to immediate cybersecurity threats when indicated by the CareCERT advisories. A primary point of contact must also be established to receive the bulletins sent out by the NHS Digital Data Security Centre and co-ordinate the practice’s response. In the case of High Severity CareCERT advisories, the response will need to be provided to CareCERT Collect within 48 hours, showing pracices have a plan to respond to the alert.
A comprehensive business continuity plan is also required for when a practice falls victim to a data or cybersecurity incident. Staff must also report any incidents and near misses to CareCERT in line with reporting guidelines.
With one in five healthcare IT professionals reporting that Windows XP is still running on their networks, it is unsurprising that the new framework requires organisations to identify, and put in place, a plan that will either mitigate or remove any risk in software, hardware and applications by April 2018.
Organisations will also be required to undertake on-site data and cybersecurity assessments when requested by NHS Digital, as well as to share the outcomes and recommendations of such assessments with any relevant commissioner.
Obviously, practices will need to continue do their due diligence when procuring IT, ensuring that the supplier and its systems have an appropriate certification. Whether purchasing from the government digital marketplace or checking the vendor has completed the Cyber Essentials scheme, practices must ensure that their IT procurement does not introduce undue risk to their systems and data.
What’s the next step?
It would be very easy for GP practices to approach the new standards as a box ticking exercise – but those that use this framework as an opportunity to reassess and re-approach their cyber processes will find themselves on the front foot – in a position to strategically build the holistic cybersecurity programme necessary to weather the current aggressive cyber threat landscape. By taking advantage of new automated solutions and vendor partnerships, it has never been easier for an organisation to deliver strategic, seamless cybersecurity defences.
With the requirement for senior leadership responsibility cited within Dame Fiona’s report, I challenge practice managers to take this one step further and make improving data and cybersecurity their mission. Only with the right senior sponsorship can a GP practice take the new framework from a box ticking exercise to the achievement of true change – and this will, ultimately, be essential to the continued delivery of a safe and secure service to both health professionals and their patients.