The healthcare sector faces more information security risks than almost any other sector. NHS organisations experience daily, automated cyber attacks, and must also contend with targeted attacks.
With the introduction of the EU General Data Protection Regulation (GDPR) and the Directive on security of network and information systems (NIS Directive), the healthcare sector will see an increased legal and regulatory focus on cyber resilience. The former comes into effect on 25 May 2018, and the latter was transposed into UK law as the NIS Regulations 2018 on 9 May 2018.
In addition, NHS Digital’s Information Governance (IG) Toolkit has been superseded by the new, more comprehensive Data Security and Protection (DSP) Toolkit.
Cyber resilience
As cyber threats evolve, security solutions cannot always keep pace. Instead of solely focusing on preventing attackers from accessing your network, it is better to assume a breach will occur and plan a strategy that reduces the impact. Cyber resilience works by combining cyber security (a sub-section of information security) and business continuity management, and aims to defend against potential attacks and ensure your organisation’s survival following an attack.
A cyber-resilient posture can help an organisation improve its culture and processes, and reduce the financial losses associated with a breach. Implementing and demonstrating cyber resilience best practices and effective business continuity management can also help organisations protect their reputation should a breach occur.
Implementing a cyber resilience programme should also allow healthcare organisations to fulfil the requirements of national and international regulations, including the GDPR, the NIS Regulations 2018 and the DSP Toolkit.
Building a cyber-resilient supply chain
Information security is only effective when everyone accessing that information maintains a common standard of secure practices and technology. Healthcare providers are increasingly looking to their supply chain to ensure they uphold the more stringent information security and cyber resilience standards expected of them.
With the introduction of the DSP Toolkit, supply change management will become a requirement for NHS organisations, with supplier due diligence a mandatory assertion that must be met before your Toolkit is submitted.
Cyber Resilience for the Healthcare Sector
Bringing an effective cyber resilience programme in line with international best practice can be a long-term project. The first step is to understand what your organisation’s implementation programme looks like and demonstrate that you are taking the necessary steps to improve your position.
Download our Cyber Resilience for the Healthcare Sector green paper to discover:
- The security threats facing the healthcare sector and how to mitigate them;
- New compliance obligations and how to meet them; and
- How the healthcare sector can use international best practice to achieve effective cyber resilience.