Understanding an organisation’s dependency on its digital solutions is a critical part of service continuity planning, as David Newell, Gemserv’s Director of Healthcare, explains.
AS ANY clinician will tell you, prevention is better than cure. If we can make sure that people take care of themselves – by eating healthily, taking exercise, and for some, moderating their alcohol intake, then fewer will end up being ill.
The same is true when it comes to cyber security. It’s far better to make sure that our health services have the right measures and policies in place to prevent attacks, rather than dealing with their aftermath of another malware attack.
The importance of prevention rather than cure has become more acute during the pandemic. Over the past eighteen months, we have seen an ever-increasing emphasis on digital solutions, from online consultations, remote monitoring, as well as testing kits and repeat prescriptions being ordered via the internet.
At Gemserv, we see this trend through our own work in pathway re-design. Digital is now a key component of the optimal pathway. Digital transformation is touching every part of the health service, from remote monitoring helping patients to recover in their homes rather than hospital wards, through to cutting waiting times for patients who need to come into hospital for tests or procedures.
As Lisa Hollins, Director of Innovation at NHSX, explained in her recent blog post1, 25% of colonoscopies fail because patients have not taken the right steps to prepare for the procedure, and so advice is being given to patients digitally, which will help reduce waiting times. NHSX is investing £6.5 million in thirty-five digital projects through its adoption fund to support the recovery and sustainability of services, while also improving experiences for patients.
Digital pathways will also have a direct impact on the carbon footprint of the NHS, helping the health service to meet its low-carbon ambitions. As I explored during a blog post2 over the summer, only a fraction of the cuts needed for NHS emissions targets can come from decarbonising heat and transport, with the lion’s share needing to come from the way it delivers services.
Our reliance on Digital will only continue to increase and with it comes new challenges.
Cyber threats are no longer ‘rogue events’
As digital solutions increase, so does the service’s reliance on these new pieces of technology and software operating without interruption. Our experience is that business continuity and cyber-security have been treated in isolation – with cyber threats being seen as “rogue events.”
Sadly, we have seen that this is no longer the case. The attacks by the Conti ransomware group back in May on the Irish government’s Department of Health and the Health Service Executive (HSE) underlined how digitally dependent modern healthcare has become.
Memories of the 2017 “WannaCry” ransomware attack – which disrupted more than one third of NHS trusts – are still fresh in many people’s minds. Following the Irish attack, NHS Digital highlighted the threat of ransomware in the UK is still “a clear and present danger” and reported that it is blocking more than twenty-one million instances of malicious activity each month3.
We also see the prevalence of threats increasing around the world. Technology firm Protenus’ breach barometer showed that hospitals and healthcare systems in the United States reported a 42% rise in hacking incidents in 2020 for the fifth year consecutively4.
Our own threat intelligence service, used by government organisations and strategic security partners in multiple industry sectors, demonstrates the enhanced capabilities and continually evolving nature of the threat actors that prioritise the NHS as a high-value target.
These twin threads of business continuity and cyber-security must now come together to reflect the reality that digital solutions are now a critical link in the chain. Being unable to use a computer in a hospital or health centre due to a cyber attack is no longer simply about the inconvenience of being unable to send emails or access records – instead, a cyber attack will cut off patients from potentially life-saving treatments and services.
How health services can integrate cyber-security into their business continuity plans
We have first-hand experience of how health services can weave cyber-security into their business continuity planning thanks to our work across integrated care systems. By Christmas, we expect to have worked with some 40 healthcare provider organisations, helping them map their dependency and – more importantly – the action they need to take in the event of a threat materialising. We’re also helping them to prepare, so they can prevent attacks occurring in the first place.
We advocate a risk-based approach to ensure that actions are pragmatic and prioritised by need. Essential to this approach is making it real – testing the policies, the procedures, and those responsible in real-life simulations to ensure the response is robust.
A four-step approach helps us to achieve those goals:
- Review existing policies and procedures to ensure they are complete and appropriate;
- Develop a “real” test scenario that reflects the nature of the potential threat in the context of local service configuration;
- Run the scenario in real time to expose the organisation and key players to test their response;
- Develop a risk-based action plan to address the key issues and weaknesses identified in the exercise.
Our proven approach can be utilised by any organisation, but it is of its greatest value when it is used across a healthcare system. Working at scale and across interdependent care providers delivers even greater value. As an example we delivered this approach across twenty-two organisations in Cheshire and Merseyside.
The Detailed scenario was developed by Gemserv Health, with input from Cheshire and Merseyside Health and Care Partnership, to find out how the integrated care system would respond to a cyber-security incident.
Paul Charnley, digital lead for the ICS, explained that commissioners, councils, hospitals and other providers in the area have their own policies and procedures in place. But the ICS does not have an overarching response that was tested and ready to use.
“NHS Digital has a data protection toolkit that requires every organisation to plan for and rehearse its response to a cyber attack, but one of the things that we learned from WannaCry is that a cyber incident can impact a large geography, very quickly,” he said.
“We need to be able to co-ordinate.”
He adds: “The exercise that we ran really brought that to life.
“It was very salutary and very helpful, and it has given us a lot to think about.
“We have learned a lot since WannaCry, but we are in an arms race with the hackers, and we’ve still got more to do.”
It is a simple reality that unfortunately, the attackers only need to be successful 1 out of 100 attempts, whereas the defenders need to be on their game 100 out of 100 times; so it’s an unequal game of cat and mouse. If you would like to understand more about our threat intelligence service or how our scenario planning can enable to stay one step ahead then please contact us.