How can the health and social care sector better protect against cyber attack? Benji Avro – Cyber Client Director explains why businesses should make it harder for cyber criminals to launch a successful attack while helping to mitigate losses should a hacker succeed to infiltrate.
The health and social care sector is an attractive and lucrative target for cyber criminals. Recent high profile hacks in the UK include an attack on the provider of the NHS 111 non-emergency helpline in August 2022, which also impacted a range of other health and social care settings from GP surgeries, to care homes and mental health services. As probably the most disruptive attack on the NHS since the 2017 WannaCry cyber incident, it’s a stark reminder that the threat continues to escalate and underlines the importance of building cyber resilience.
The Technology Lifeline: Charting Digital Progress in Healthcare research from SOTI highlights the worrying state of affairs for patient data security. With 79% of UK healthcare providers reporting at least one data breach, the research also found a 22% year-on-year increase for UK healthcare IT workers reporting a data breach. A 14% rise in accidental data leaks originating from employees was also noted.
Cyber risk is particularly prominent in the health and social care industry partly due to the amount of confidential data organisations hold. Personally identifiable information (PII) is valuable to criminals and many, even smaller organisations, will hold a disproportionately high level of PII relative to their size.
It’s not just a vulnerability around PII, given many health and social care businesses have a reliance on operational technology – as distinct from their IT systems – which can include medical equipment like scanners or ventilators, as well as building controls such as lifts and air conditioning. Systems that are internet enabled are equally at risk. Failure can lead to extensive business interruption and additional costs for the business. Hackers could also target operational technology as a way of gaining access to a business’s IT environment to steal personal data, taking advantage of the lack of cyber security around many of these systems. So given these vulnerabilities, what steps can a business take to ensure they reach an informed decision around its cyber risks?
At Aon, we approach cyber with four key phases: Assess, Mitigate, Transfer, and Recover. These set the foundation for building a sustainable cyber resilience.
Assess, Mitigate, Transfer, and Recover.
- Phase One - Assess
The ‘Assess phase’ should be about understanding what data you hold, where it sits, who has access to it, how the data is protected, what policies and procedures people have access to, and whether the organisation follows any existing security frameworks like NIST. The Assess phase gives organisations the opportunity to understand their own cyber landscape and how best they can manage the risk – whether they decide to insure for cyber risk and/or keep the risk on their balance sheet. In addition, they would do well to invest in I.T. security measures which will reduce the risk of a cyber-attack being successful. Businesses should identify a range of events that could happen, and the potential cost; providing clarity around their current security controls and clear data on exposure and cyber control maturity.
- Phase Two - Mitigate
Mitigate moves on to building an organisation’s resilience and limiting the impact of a cyber incident. It helps a business make risk informed decisions when it comes to making changes that can enhance cyber security maturity and maximise return on security investment (ROSI). Within the mitigate stage, a business should answer two important questions: Is risk proportionately managed? If not, what security technical controls need to be implemented or enhanced?
- Phase Three - Transfer
In this phase, a business considers which risks it to retain or transfer. The Transfer stage supports businesses to get the most appropriate cyber insurance policy in place to both protect the balance sheet for financial loss, but also ensure access to the right expertise. A business will need to ensure it considers IT forensics and legal support if a breach or incident took place. It should also be prepared for reporting to the Information Commissioners Office and what support it needs in the event of an investigation. Identification and quantification of your maximum probable cyber losses will help you understand how much of a potential cyber loss your business might self-insure, and how much you could transfer to an insurance policy or other form of risk transfer.
- Phase Four - Recover
The final phase is to consider your recovery costs and steps to recovery. A full recovery should encompass expert and rapid incident response, it should extend to effectively quantify impact and manage third party and insurance claims to ensure maximum possible recovery of costs. Immediate response, containment and investigation coupled with presentation of insurable losses to advance the claims process, and support for third party and regulatory claims – all measured and aligned to business objectives.
Cyber Resilience
It’s key that businesses within the health and social care industry understand how prevalent the cyber risk is to them and how, they remain a key target for hackers. For more information about how Aon can help your organisation in managing your cyber risk and work towards developing sustained cyber resilience, contact Laura Jennings ([email protected]) or Sarah Triggs ([email protected])
Is your organisation cyber resilient? Find out more about how Aon’s Cyber Loop can strengthen your cyber defences.
About Aon
Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries and sovereignties with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 14/07/2023.
Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
FP.NAT.1256.SEC