How NHS boards and private sector providers should be preparing for dealing with cyber-attacks.
The striking and immediate impact of the cyber attack targeting pathology services provider Synnovis should prompt the boards of NHS and private sector providers to take a serious look at their cyber risk profile, risk mitigation and preparedness for dealing with a significant cyber-attack. This particular attack highlights one area of risk which is particularly relevant in the healthcare sector – supply chain attacks.
Managing supply chain risk
Healthcare providers operate in an ecosystem with significant complexity, operational, technical and regulatory. The regulatory environment for healthcare emphasises the importance of risk identification and risk mitigation. In the context of third party suppliers that begins with appropriate due diligence. Asking the right questions and assessing the supplier’s responses requires appropriate knowledge and expertise. Where suppliers have already been onboarded, monitoring of that relationship and any changes in the service offering, delivery partners or contractual relationship is essential. This should be supported by proportionate use of audit (with the help of outside and cross-industry expertise in cyber) and the provision of appropriate assurances from the supplier.
Understanding and measuring organisational resilience is key to mitigating the impact of cyber-attacks. Getting resilience right requires planning and time, but it can pay significant dividends in reducing the risk of successful attacks and in minimising service interruption in the event your system, or those of your suppliers, is breached or unavailable for an extended period of time.
Innovation
Healthcare is a key sector for technological innovation. Organisations are confronted by a wider array of new technology which promises improvements in productivity or efficiency, and resource poor organisations may rush to implementation. Equally, providers, including NHS trusts, may see the development and commercialisation of technology or software as offering a lifeline of additional income. Becoming a supplier of technology or software brings a range of new risks for organisations, and it is crucial that they understand the limits of their expertise and seek appropriate professional advice to quantify and manage the risks. Careful consideration should be given to the potential liabilities which may result and how those risks can be managed through appropriate contractual arrangements, capital allocation and/or insurance where available.
Board-level decision making
Board members need to ensure that they have sufficient information and, if necessary, independent external advice to enable them to discharge their responsibilities. To do this effectively they should develop a set of business impacting cyber scenarios in relation to first and third party risk, and seek to stress test precautionary arrangements at a minimum. For board members of NHS trusts and Foundation trusts it is important to comply with the requirements of the NHS Provider Licence. Board members in the healthcare sector will be alert to the personal impact which may result if failures in risk management were to reach the threshold of serious mismanagement under the Fit and Proper Person regime.
CyXcel can provide independent expert advice on your cyber and data risk exposure, risk mitigation, resilience, and we can handle the full scope of incident response including containment and incident investigation, regulatory notifications and investigations, data mining and data subject notifications – all under one roof.
