Primary care consultant Daniel Vincent reminds practices how to keep safe from data breaches and flags up recent examples of NHS security scams
As more and more practice processes move online, cyber security has become increasingly urgent as well as important. However, cyber security is not just about technology – it’s also about people.
Despite all the sophisticated technology available to protect data, user error remains the leading cause of data breaches. This includes things like weak passwords, clicking on malicious links, and opening attachments from unknown senders.
Action to take to prevent user error being the cause of a cyber attack, include:
- Having a strong password. This is essential to keep your accounts safe from hackers. In an ideal world, you would use a different password for each login. This password should be at least 8 characters with capital numbers, letters and a special character. If this is not possible then you should create several tiers of passwords. All should be ‘complex’, think of this as creating a firebreak should one of your passwords be compromised.
- Be aware of malicious links. If you receive an email from an unknown sender with a link, don’t click on it. The link will likely take you to a page that replicates a genuine login page such as NHSmail. Here you will login ‘as usual’ but receive an error. Your details have in-fact been sent to the criminal.
- Similarly, be careful about opening attachments from unknown senders. If you’re not expecting a file, it’s best not to open it. These will often be an invoice or credit note or more recently a ‘scanned document’. The email will say something like, ‘Please find attached the invoice for the goods you ordered, please ensure we receive payment within 7 days’. This creates both intrigue and urgency. When you open the file, it will contain malicious code that is installed on your computer. This code might be a keylogger that records all the keystrokes on your keyboard and send them to the criminal.
Social engineering is also a growing threat. This is when attackers use psychological manipulation to trick people into giving them access to systems or sensitive information. This can be done through fake social media profiles, a phone call or even face-to-face interactions.
Be aware of the following social engineering threats:
- Fake social media profiles in the names of existing staff members that are used to trick people into revealing sensitive information. Attackers may try to exploit your natural tendency to trust others in order to gain access to sensitive information. Be on the lookout for red flags, such as someone asking for personal information that they shouldn’t have access to, and don’t be afraid to say no if you’re not comfortable with what someone is asking for.
- Managers receiving emails from their GP partners that appear legitimate. The email states that they are abroad and have had all their cards stolen, and will ask if you could transfer money, so that they can get home. How do the criminals know the GP in question is on holiday? Well, how many times have you heard a receptionist say, ‘I’m sorry but Dr Jones is on holiday this week?’ Be aware of the information you inadvertently give out to people. Also check what your out-of-office messages say.
- Individuals calling practice’s pretending to be from their Commissioning Support Unit (CSU) IT support team. We have seen several alerts about this. During the call, the person will share what is actually publicly available information about the practice to build trust before asking for the information they want to obtain. This might be a direct request for login information or perhaps an email address, so they can send across a link to the ‘secure submission form’. Those that have been involved in this scam, have commented how careful they usually are and how surprised they were to have been caught out. It demonstrates that no one is immune to these kinds of attacks.
- Organised gangs, wearing official uniform, making their way round hospitals gathering (and stealing) equipment before leaving. NHS Trusts across the country report losses running to millions of pounds each year, as a result of this scam. One might hope that since premises and teams within primary care are smaller it might be more difficult for gangs to infiltrate in this way. But the increased reliance upon locums and the introduction of ARRS staff, as well as visiting third sector teams means there are significantly more ‘strangers’ are in our workplaces. When you meet someone in the corridor that you don’t know, would a ‘staff’ lanyard around their neck be enough to stop you challenging them and asking the question, ‘Who are you?’
What can you do to help?
- The risk associated with cyber attacks should force cyber security near to the top of the agenda. In fact, we see this with the inclusion of Information Governance training in the mandatory staff training list, which is part of the Data security and Protection Toolkit that all practices must complete. This training, however, often focuses on the release of confidential information, such as details within the medical record, rather than the cyber security itself.
- It is important to test people’s cyber security knowledge and training regularly. This helps to ensure that people are up-to-date on the latest threats and how to protect themselves. You can also adapt your current training to meet the gap that present during testing. This testing should also be logged as evidence for the Data Security and Protection Toolkit annual return.
- I have found that sending team members real life examples of incidents is the most impactful way to ensure cyber security is on their radar. It demonstrates how it could happen to them, and hearing the effect (and damage) it had on the patient(s) and the practice, including consequences such as data breach fines can be powerful.
- Your IT provider will have to face the consequences of any breach alongside you and therefore will likely subscribe to the belief that, ‘prevention is better than cure.’ Start a conversation with providers about what testing and training they can provide over and above an e-learning course.
With the correct training, testing and regular reminders team members are much less likely to fall foul of a human targeted cyber attack.
Daniel Vincent is a former practice manager and independent primary care specialist. Read more from him here