Cyber security – three recommendations to protect against the next attack

In 2017, NHS facilities across the UK were held hostage by a cyber security attack. Over 50 Trusts and Health Boards were affected, seven A&E departments were closed and treatments were cancelled. By Monday, most hospitals were back to operating as normal.

It’s thought that the culprit, WannaCry – a form of ransomware – had exploited hospital computers without a security update patch, issued by Microsoft two months’ prior. This patch addressed a weakness in network file sharing protocols.

The seriousness of the update was not communicated to avoid hackers targeting the vulnerability.  As such, many Trusts had not applied the patch, adding it to the list of updates to be compatibility checked against the ocean of other software used within hospitals.

Are IT systems the only reason some hospitals were caught out over others? The simple answer is no. With restricted budgets, the provision of cyber security training has become a low priority and staff awareness of cyber security threats and how to respond to them is a systemic issue.

So, what can we learn from this incident, and as the dust settles, what should the NHS and other healthcare organisation do to protect themselves from the next attack? Here are our three recommendations:

1.    Rapidly assess areas most at risk to cyber threats

2.    Implement a targeted cyber security training programme

3.    Champion information security and governance at Director level
 

1. Rapidly assess areas most at risk to cyber threats

This can be achieved through mock phishing attacks, to create a ‘vulnerability profile’. Using this profile, identify short term issues to address as well as your longer-term goals. Reassess your weaknesses later down the line by further mock attacks.
 

2. Implement a targeted cyber security training programme

Once your weaknesses have been identified, address these through a schedule of targeted training modules and resources. Mix-and-match the media type to keep staff engaged and reinforce learning through quizzes and real-life scenarios. Always keep the training relevant to your staff’s day-to-day responsibilities and potential risks.
 

3. Champion information security and governance at Director level

Good information security does not end at your front-line staff. Make sure your executive is fully briefed and identify a high-profile champion in your organisation. Embedding knowledge from the top down ensures robust processes flow through to the nuts and bolts of what you do.

Sounds hard? Monmouth’s information security and governance team can help you evaluate your vulnerable areas, implement a world-leading training programme and maintain your staff’s ability to avoid the next cyber threat.