This site is intended for health professionals only


Cyber chaos

by David, Government Communications Headquarters (GCHQ)
8 February 2016

Share this article

There is an abundance of information on data security out there, but what do you do if this fails and hackers attack your online system?

Help! I’ve been robbed. Imagine the scene. You turn up one morning to open the practice, only to find that the front door is wide open, all the cabinets containing your files are empty and all the desks missing their computers. Some thieves, clearly hell-bent on getting into your practice, have ‘cased the joint’ and planned a highly-sophisticated break-in. But wait, there are no signs of physical damage and the alarm didn’t sound. Then your heart sinks. You remember being last out of the office, in a rush because you’d promised to meet a friend and were already running late. You forgot to set the alarm and double-check the door to make sure it’s locked.
And the burglars? No-one ‘sophisticated’ – just a crowd who happened to try the lock – and the rest as they say, is history. This is an all too familiar scenario, where we learn through experience to secure our buildings, but what about that patient information? How easily could that still be damaged or stolen? So much information for which you are responsible is processed by IT, yet so often we forget basic security measures.

Under attack
But you’ve installed a virus checker and someone else in the NHS looks after all the main systems eg, Spine (a collection of national applications, services and directories which support the health and social care sector in the exchange of information in national and local IT systems), so what’s the problem? Well, the problem is this: information is increasingly valuable. Criminals want it and they’ll do what they can to get it. Globally, the sale of information by criminals is increasing year-on-year, so if you’re the weakest link, it’s you they’ll exploit to access it.
One of the most common techniques criminals use is called ‘spear phishing’, where you’re sent an email that looks legitimate and contains a link you click on. That either takes you to a criminal’s website where you inadvertently enter personal information, or installs software on your machine that is capable of harvesting significant volumes of personal information. The story in the opening paragraph was meant to illustrate that while you may not think you’re a target for criminals, the reality is that malware (malicious software) can exploit your systems opportunistically.
With the increasing value of personal information, health systems will increasingly be the target of specific attacks. It’s not just about the loss/theft of information but, if your systems have been attacked in some way, can you trust the integrity of the information any longer? Do you know if it’s been altered in somehow? The implication here for patient care is obvious.
And what if malware denies you access to patient or other data? There have been increasing instances of so-called ‘ransomware’, which gives criminals the ability to lock a computer from a remote location until a sum of money is paid. Here, there is a clear effect on both patients and the ability of the practice to operate.

Education
So you’re convinced the threat is real, you’re worried about your systems. What should you do now?
The first thing is to talk to all users of information within the practice. Make them aware this is a real problem. PwC’s (PricewaterhouseCoopers) 2015 Information Breaches survey reported that 90% of large and 74% of small companies had experienced a breach, with the average cost being between £1.46 million and £3.14 millon per incident for larger companies and between £75,000 and £311,000 for smaller ones. Of course, there are also a number of well-documented cases such as TalkTalk, Sony, and Ashley Madison.
Staff education is key: everyone has a responsibility to safeguard information.
Ultimately it’s all about patients trusting that your practice is protecting their personal information. If something happens to personal information there are a range of authorities who may need to be informed eg, your clinical commissioning group (CCG), the Information Commissioner and even the police.
Malware gets into systems in a variety of ways, but the most common are by:
l Opening infected attachments to emails eg, invoices or other documents.
l Clicking on links, often sent to you by email (as used in the example above).
l Visiting infected websites.
The reality is that you won’t always know if your systems have been compromised, but suitably-configured (and updated) firewalls, anti-virus and similar products will help.

What to look out for
The advice you’ll need to give within your practice will vary from person-to-person, depending on their role and how aware they are of these issues. For those who do not have a specific IT security role, important things to think about are:
l Passwords. Make sure these are effective and not shared with anyone. Would you share your PIN number?
l Email attachments. These can contain malicious software that, when opened, infect your machine(s).
l Links. Clicking on links, whether in an email or on a website, can allow malicious software to be downloaded to your machine(s) and infect them.
The secretary of state for health has recently announced an independent review to:
l Review the effectiveness of the current approaches to data security in NHS organisations in relation to their handling of patient confidential data. This is being led by the Care Quality Commission (CQC).
l Develop new data security standards that can be applied to all health and care organisations; with CQC, develop a method of testing compliance with the new standards; propose a new consent/opt-outs model for data sharing. This is being led by the National Data Guardian, Dame Fiona Caldicott, national data guardian and chair of Oxford University Hospitals NHS Trust.
But it’s still down to practices to handle their patients’ confidential data appropriately.
Decide who in your practice is responsible for your information security, and then give them the support and resources they need.

Who can help
There are a range of accessible places to get support: make sure that your IT systems at least meet the Cyber Essentials standard (see Resources) and that information security is discussed by your practice is senior management – the 10 steps to Cyber Security (see Resources) is a good starting point.
CESG’s (Communications Electronics Security Group) own site (see Resources), Cyberstreetwise (see Resources), and Get Safe Online (see Resources). Information Governance resources from the Health and Social Care Information Centre (HSCIC) is also a must (see Resources).
But what do you do if a data loss still happens? If you’re sure a crime has been committed then it should be reported to Action Fraud (see Resources) using the online reporting tool or call 0300 123 2040.
You should also report any incident to CareCERT as soon as you become aware of it. Run by HSCIC, CareCERT is responsible for coordinating responses to cyber incidents on behalf of the entire health and care system. To help you respond to a cyber incident, CESG has certified a range of companies to help you in cleaning up systems.

Take charge
Cyber attacks are sometimes described as ‘sophisticated’ or ‘unprecedented’. While this can be the case, many attacks are, in relative terms, ‘straightforward’ and ‘well-known’ and could have been prevented.
With the very real risk of you being a victim of malicious activity, everyone in your practice needs to appreciate that cyber hygiene is as important as hand hygiene. The loss of data from your practice could be catastrophic – for patients, for staff and for the reputation of the practice and primary care more widely. As ever, prevention is better than cure – equip yourself to ensure your patient information is protected. l

David, senior relationship manager for the health sector, Government Communications Headquarters (GCHQ) (for security reasons the author’s full name cannot be given).

Resources
Cyber Essentials standard
cyberstreetwise.com/cyberessentials/
10 steps to Cyber Security
gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility
CESG
cesg.gov.uk/
Cyberstreetwise
cyberstreetwise.com/
Get Safe Online
getsafeonline.org/
HSCIC
systems.hscic.gov.uk/infogov
Action Fraud  
actionfraud.police.uk