Most care providers I speak to are increasingly aware of the value of going digital – it improves decision making through access to current information and increases efficiency. They also have valid concerns about risks.
Cyber-crime is now a part of our modern world. We’ve all seen those well-disguised emails and texts inviting us to click on a credible looking link.
As care professionals, we have to be alert. We access and share sensitive information, from clients’ health and care records, to the bank details of our employees for payroll purposes. That’s precious data to a cyber criminal, who can demand a ransom to release it, or use it as part of identify theft.
As part of the Better Security, Better Care programme, I’ve been struck by the rise in care providers coming forward for support on cyber security – often driven by their desire to make the most of digital social care records.
We guide providers through the Data Security and Protection Toolkit (DSPT) – the official self-assessment toolkit for our sector.
They quickly understand the importance of, for example, using strong passwords and training staff. But the DSPT often reveals significant gaps in their arrangements which conversely, we are encouraged by as it opens the door for care providers to have an informal discussion in a supportive setting to start thinking about areas they have not yet felt the confidence to tackle.
Consider the full digital supply chain
Many care providers do not consider the full ‘supply chain’ when thinking about their cyber security. That chain includes their own tech and IT suppliers, as well as the organisations and individuals who connect with those systems in any way. It includes the suppliers, managers and users of tech systems that providers access but don’t manage directly – for example, electronic medication ordering systems that are managed by pharmacies and GP-led proxy access systems.
A weakness at any point of the supply chain can ripple out and affect everyone. Cyber criminals are smart like that – they will exploit any open door, and once they are in, it’s difficult to stop them. Having worked with many small and medium sized providers, their primary concerns are “I don’t know enough about this, I don’t talk ‘technical language’ and I lack the confidence to even know where to start”. But in reality, it can be as easy as having a conversation with your IT supplier and asking for their business continuity plans which should outline the steps they will take in the event of disruption to their service.
Include cyber security in business continuity plans
The DSPT is also ensuring providers add cyber security to their business continuity plans. We’re very aware that care providers are well used to ‘thinking on their feet’ and most, if not all, have continuity plans for situations such as staff and petrol shortages but many get nervous about planning for a cyber incident due to perceived lack of knowledge when in reality it is a relatively simple process that could save time and money in the event of a cyber incident.
For example, we encourage providers to think about: What would you do if you could not access the data held in digital care records, or digital staff rostering systems? Do you have accessible back-ups?
The Digital Care Hub (formerly Digital Social Care) has guidance and templates available on creating and testing a business continuity plan for data and cyber security.
Free, expert support
The great thing is that, in parallel with the Digitising Social Care programme which encourages care providers to go digital, we also have Better Security, Better Care. We are the official support programme on data and cyber security and the Data Security and Protection Toolkit. The programme is completely free and includes detailed online guidance, webinars, template policies, and direct support from 28 local support partners across England. I strongly recommend that car providers take that first step and contact us for free, expert support.
Find out more at Better Security Better Care.
Access free Keep IT Confidential tools to use with staff.
2 comments
Comment by Kevin Holder posted on
I have had my concerns with this 'eggs all in one basket' approach for some time now. We still maintain written written records on service users and scan and upload every three months. In the event of a cyber attack/ransomware we still have our written records as back up. This applies equally to risk assessments and Safe Systems of Work. I like the idea of adding the issue to the Business Continuity Plan and will be acting on that advice immediately, thank you.
Comment by Biomedis posted on
In what ways does cyber-crime impact the healthcare sector, and what sensitive information is at risk when it comes to cyber attacks? <a href="https://campuslife.telkomuniversity.ac.id/2023/06/09/menginspirasi-aksi-lingkungan-orang-orang-peduli-memelihara-lingkungan-di-jalan-telkom-university/">Telkom University</a>