Cyber security is a business continuity issue

October 4th 2022

As a care provider, you’ll have a plan to ensure your business can continue if you’re affected by severe weather, a power outage or medication shortages. But what if you don’t have access to the data you store and share?

We’ll be producing a series of articles for Cyber Security Awareness Month, and this week we share insights and advice on building data and cyber security into your business continuity plan.

We have created a cyber security continuity plan which you can download and adapt for your organisation. The plan considers six different scenarios that could affect your access to digital systems and outlines ways to reduce your risk and to respond if any of those scenarios occur.

Here’s a quick summary:

1. Office unavailability: How would you access the information and systems that you need, should one or more offices become unavailable. For example, if there is a fire or flood, and office phones, computers and servers are irretrievably lost.
2. Phoneline or broadband failure: Consider what would happen if your phone lines and broadband were to fail.  For example, would you be able to access care plans, telephone numbers for service user’s families, or would you be able to direct staff to where they need to be to provide care?
3. Power cut: Consider how you would access the information and systems that you need should you experience an extended power cut.
4. Broken, missing or stolen devices: Is your service reliant on one main computer or laptop or do you have other devices that you could use? If a device is stolen, is it protected to prevent unauthorised access?
5. If you were hacked: Do you know who to contact and what actions you need to take? For example, do you need to contact Action Fraud, change your passwords or restore back-ups? Do you have technical arrangements in place to reduce the risk of being hacked, and are you staff trained on how to spot cyber attacks?
6. If your tech supplier’s system failed: Think about all the software that you use – from care planning, digital records, rota systems. What if any of those systems went down? What back up or paper systems would you be able to put into place?

Check your digital supply chain

A really key issue is to consider the ‘supply chain’.

Your business is likely to be part of a complex digital supply chain – including the tech companies that supply and manage the software systems you use, partners in other health or care organisations that access or share digital systems with you, and of course the clients, families and staff whom you contact.

As a member of that chain, you need to ensure that your own cyber security arrangements are in place.  One of the most comprehensive ways of checking this is to use the Data Security and Protection Toolkit (DSPT) at least once a year. This free, official self-assessment tool will guide you through the policies, procedures and practices you should have in place – and it will provide you with a DSPT status which indicates if you are meeting national data standards. It’s a great source of evidence to share with your supply chain partners.

It is also your responsibility to check the potential risks that third parties may bring to your care service.  Think about what systems you rely on external companies to provide, and how your service could be affected if they fell victim to a cyber-attack.

You should check their cyber security arrangements. So for example, do they have an up-to-date DSPT or Cyber Essentials Plus in place? Also check the contracts you have with them – do they cover cyber security issues? And remember, good suppliers will work with you to discuss their responsibilities.

You should also think about how you back up your data, or how you could temporarily replace a key part of your service that you rely on.

October is Cyber Security Awareness month

Download and adapt our data and cyber security business continuity template plan.

Visit our web pages on cyber security to get guidance and support for your care service.

Follow the NHS Digital Keep I.T Confidential campaign and learn more about cyber security and how you can get involved.

Run your own campaign at ease by utilising the free resources on offer for social care.