As the business landscape continues to become ever more digital and global geopolitics contribute to an unprecedented number of cyberattacks, robust cybersecurity measures have never been more vital to running a successful company, and this is especially true in the health and social care sector. When your business handles sensitive data like care plans and health records, and when your digital infrastructure supports people and not just products, it’s crucial that you and your company maintain a cybersecurity solution which is resilient and forward-thinking. In ClouDoc’s June blog post, we explore this key element of delivering a high-quality service, considering some of the emerging trends, problems, and solutions in today’s digital business world, and discussing why the stakes are higher than ever in the cybersecurity arms race.

The healthcare sector, which operates in close symbiosis with health and social care, is one of the most common targets of cyber-attacks worldwide. Cybercriminals understand that healthcare organisations process massive amounts of sensitive data, often in a centralised location to facilitate information sharing between healthcare professionals, and this sensitive data offers the kind of leverage which opens healthcare providers up to ransomware. Because healthcare is often literally a matter of life and death, ransomware attackers rely on organisations’ need to return to operating capacity as quickly as possible, hoping that this will make them more likely to give in to demands.

The human cost of such attacks requires no longer requires any speculation; in September 2020, a ransomware attack completely disabled the admissions and records systems of a hospital in Düsseldorf, Germany, and this delayed the treatment of an older woman suffering an aneurysm who consequently died as she was re-routed to an alternate hospital. Prosecutors in Cologne attempted to have this brought before the courts as a case of negligent homicide, leading many to call this the first case of ‘death by ransomware.’ Those responsible were never caught.

However, while such tragedies do occur, research suggests that the vast majority of cyberattacks are financially motivated and are perpetrated by cybercriminals and not nation-states or terrorists. In most cases, criminals seek to cause disruptions and interrupt the normal workflow of businesses and services to extort money. Although most cyberattacks do not have lethal or life-threatening consequences, they can result in data breaches which require notifications be filed with the Information Commissioners Office (ICO), or require you to inform your service users and stakeholders. This could be damaging to your business’ reputation, and in the worst cases, such data breaches may result in safeguarding concerns for service users or legal action against your business.

Cyberattacks can affect almost any area of your digital infrastructure or that of your business partners or Local Authority. Criminals may seek to access or damage electronic health records, telehealth platforms, communication systems like your email, Electronic Call Monitoring systems (ECM) in domiciliary care, and more. Disruption to any one of these systems could result in a diminished quality of care for your service users by decreasing your operational efficiency and denying access to crucial resources like care plans, personal details, and notifications from other professionals in the service user’s care network.

Though Small and Medium Enterprises (SMEs) in the health and social care sector hold a lower quantity of sensitive data when compared to the massive and centralised databases of the NHS and other healthcare organisations, criminals are still aware that the information they do store is every bit as sensitive, valuable, and open to ransom or exploitation. In addition, private-sector SMEs are more likely to have decisions regarding budgeting and finances fall to just one person rather than forming a shared responsibility. As such, if cybercriminals are able to target directors, treasurers, or accountants specifically, they may be more able to extort or deceitfully extract funds without additional checks or oversight.

And while the Government’s public-sector cyber defences will be managed by the centralised Government Cyber Coordination Centre (GCCC), for SMEs and private providers, it will become key to maintain a keen awareness of the latest government guidance and developments in the cybersecurity sector.

As in other areas of care delivery, maintaining high-quality cybersecurity defences works best when providers collaborate and share information. The Government’s Cyber Strategy emphasises the importance of the ‘defend as one’ principle- the acknowledgement that the increasing pace and prevalence of cyberattacks demands cooperation and information sharing.

Beyond adherence to Government and Local Authority guidelines and best practices, providers should work in collaboration with each other and encourage conversations and awareness within their own organisations. Starting such conversations and incentivising a strong culture of cybersecurity and computer literacy can be one of the strongest defences against social engineering attacks like phishing emails. Similarly, when staff know the causes and symptoms of malware infections, and this knowledge is backed up by an organisational culture of performing regular virus scans and escalating concerns to management, vulnerability is greatly decreased.

Cybercriminals rely on instilling a sense of urgency and fear in their victims, whether through the use of ransomware or with fraud and social engineering attacks. This is why it is crucial that suspicious emails, calls, and computer behaviour are discussed and reported. There should always be someone else in the loop before money or sensitive information changes hands in a way you weren’t expecting.

Gaining Government Cyber Essentials accreditation is a great way to enhance your cybersecurity defence. By completing their basic self-certified course, you and your employees will be empowered to defend your business against the vast majority of basic cyberattacks. According to Government guidance, most cyberattacks consist of simple phishing and fraud attacks which are easily avoided when your staff know what to look for. To gain Cyber Essentials Plus certification, a hands-on technical verification of your cybersecurity measures is carried out, providing the same benefits with an extra level of reassurance.

If you work under a tender or with a Local Authority, they may already stipulate that Cyber Essentials certification is required. Even if they don’t, getting certified reassures your existing and future customers and business partners that your organisation takes cybersecurity seriously, and has measures in place to mitigate vulnerabilities. Having an honest and clear understanding of your existing cybersecurity measures, and the potential vulnerabilities therein, will allow you to more effectively foster a culture of awareness and caution and to know the signs that something is wrong. If you need to, working with reputable external cybersecurity professionals or consultants to mitigate damage or increase your defences can be a good idea. When dealing with large quantities of sensitive data, knowing your limits and when it is appropriate to alert external agencies like the ICO or Local Authority can significantly reduce the harm caused by an attack.

As you lead your business towards greater cybersecurity resilience, you should ensure you and your staff are up to date with the latest Government guidance. The Cyber Security Strategy 2022 – 2030 is the Government’s plan to significantly harden all public sector systems against cyberattack by 2025, and it’s a safe bet that many of the lessons learned and applied by the Government in this time will be applicable to your business. Even when this is not the case, staying well-read and up-to-date on the public sector cybersecurity landscape will allow you to develop a strong culture of awareness and vigilance in your service, giving you and your staff the best chance to catch and resolve an incident early.

ClouDoc’s documents and policy management system makes it easier than ever to maintain a compliant and comprehensive set of operational documents. Edit your policies from anywhere and manage access permissions, updates and more for an unprecedented level of control. Our expert writers keep documents up-to-date with the latest legislation and industry best practices to ensure your business and your employees are always up to speed. Why not give our dedicated team a call today on 0330 808 0050 and find out more?