Cyber security and the NHS in the wake of virtual outpatient appointments

Alan Bonfield, Director at Monmouth, explores what the increase in virtual outpatient appointments during Covid-19 and beyond means for cyber security

Virtual and video outpatient appointments have become the norm for many NHS and private patients since late March. It was already on the cards. The NHS Long Term Plan pledged to cut the annual 400 million face-to-face appointments provided by GP practices and hospital outpatients by one-third. However, Coronavirus has expedited this aim.

NHS providers all received access to video consultation technology as part of the Covid-19 response, converting thousands of outpatient appointments to digital ones. Around 6,000 video appointments are taking place per day across health organisations. There is also an impetus to better connect clinicians, healthcare providers and link-up patient data.

While this provides NHS trusts and GP practices with an opportunity to embed a more virtual-led approach into both primary and secondary care – it also has important implications for cyber security and protecting personal healthcare data.

In June, the National Cyber Security Centre reported an increase in cyber attacks on the NHS as hackers attempted to access sensitive data linked to COVID-19. Jeremy Fleming, director of GCHQ, said: “There is a lot of low-hanging fruit, still, in Cyber Security.”

He went on to explain that hackers were using basic vulnerabilities in NHS cyber security. “They’ll still try and use lures to get people to click on the wrong thing or will look for vulnerabilities where people aren’t backing up properly – or where they’ve got basic passwords and so on.”

There are two key areas where organisations can focus to improve/maintain their cyber security in the wake of increased technology use in the Healthcare sector:

• Training and awareness of staff – Actions of individuals are an organisation’s biggest vulnerability when it comes to cyber security. Hackers intentionally attempt to gain access to systems by targeting members of staff via various routes including phishing and social engineering. Organisations that handle sensitive, personal and NHS data should ensure that staff are provided with regular security training and awareness to allow them to understand the risks and the signs to look out for.   Training can be supplemented with local campaigns that test staff reactions to phishing attacks through the use of simulations.

• Infrastructure Security – Things change quickly in the world of technology and cyber criminals are becoming more sophisticated in their ability to exploit weaknesses in an organisation’s infrastructure.  An on-going programme of testing (vulnerability scanning and penetration testing) and remediation is recommended to ensure that an organisation maintains a secure environment and can assure its clients/patients that their data is secure.