The global cyber security threat is growing, and one which could affect any organisation that does not have appropriate defences. For example, the first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015, according to the National Cyber security Centre (NCSC), while 2017 has been awash with incidents, including the massive WannaCry attack that affected GP practices so badly.
The fact is that attacks are becoming increasingly sophisticated, and even the most secure environment is at risk. That doesn’t, however, mean that you can ignore your responsibility to ensure your practice is protected from cybercrime by following some straightforward tips.
Beware email spam
A major threat to practices are ransomware attacks – malicious software that locks a device, such as a computer, tablet or smartphone, and then demands a ransom to unlock it – just like WannaCry did recently.
Guarding against spam and phishing emails is key to mitigating the risk of these attacks, and to achieve this, you need to use a blend of technical and educational solutions. Ransomware is reliant on an end-user activating it, usually by opening an infected email attachment, so educating staff is vital. Cyber security experts suggest staff should be encouraged to have a healthy scepticism by questioning who or where emails come from – each and every time they are unsure.
On the tech side of things, it’s recommended to have a disaster recovery plan in place, outlining what to do in the event of an attack. A good starting point is to have effective backups of data on an external hard drive or cloud-based service – or both, ideally.
Further information on how to prevent a ransomware incident, and what to do if your organisation is infected, can be found here.
Plan a response
In the absence of IT specialists – which is the case for most practices – it’s up to ‘leaders’, which will usually be a PM, to determine an effective cause of action in the event of an attack, and educate staff to prepare for them.
The main way business leaders can do this is through preparation. In a nutshell, this means having a strong cyber security response plan that clearly defines roles and responsibilities, and outlines how data can be recovered quickly in the wake of an attack. Further assistance for SMEs can be found in the UK Government’s 10 Steps to Cybersecurity.
It’s a team responsibility
The health sector clearly needs to protect patient data – which is gold to cyber criminals selling data on the dark web – so therefore data security needs to be high in GP practices.
The main challenge is maintaining a culture of security while meeting operational requirements, which means ensuring that security is at the heart of everything we do. A critical part of that is employee education, and ensuring that security is a priority should begin during staff induction.
Further practical actions practices can take include:
- Back up all your systems regularly – automate the process if possible
- Ensure all devices are regularly updated with updates and patches applied
- Get some security software on your devices – a lot of it is free – and don’t forget personal devices that might be used when working from home etc.
- Regularly change your passwords and make sure they are difficult to hack by using numbers, upper and lower case letters, symbols and so on
- Run updates using firewalls and anti-virus software
- Set the right example by following the actions and attitudes that are required
- Ensure that cybersecurity is discussed at every team meeting (perhaps with the latest news, or examples of good data security practices)
- Disable user accounts of former employees as soon as is practically possible
- Uninstall defunct software and any non-essential software sitting on devices such as games
- Always wipe hard drives before disposing of old devices
If the worst does happen…
If you do suffer from a cyber attack – either caused by a breach in your systems or via an external source – what can you do to minimise disruption to patients?
The first job is to disconnect any infected devices from the network – do this as quickly as possible to minimise further infection. After that, it’s time to move onto delivering patient care the old-school analogue way.
Rather than going through the methods here, the RCGP has published a handy advice sheet for practices, which is a useful reference tool – click here to read more. A handy printable attack notice for patients is also available.
Cybercrime is a fact of life in today’s digital world – and with the NHS so reliant on computer systems and so much personal data on offer to attackers – it’s a matter of if, not when, the next attack will happen. By following a few simple steps and making cybersecurity part of your practice culture you can minimise the chances and the damage caused.
How did you cope with the recent attacks? What cybersecurity tips can you share? Let us know by commenting below or in the forum here.