November 24th 2020
Cyber Security
Introduction – Keith Strahan
Keith Strahan worked as a social worker for over 20 years in a variety of settings: Hospitals (A&E, Intensive Care, Older People’s Wards, etc.), Mental Health, Community, Disability and Primary Care.
Keith’s experience provided an ideal background for when he later led and implemented a range of large-scale projects that aimed to improve digital technology within adult social care and share information with the health sector. This included a London Project with, at its peak, 60 acute trusts and local authorities sharing information across London.
Now as Clinical Informatics Lead of the Social Care Programme at NHS Digital, Keith’s had the opportunity to build on all of this and, from the start, shifted the focus to supporting care providers with a ‘sector led approach’. This included lobbying for a website for care providers that would be their ‘digital hub’. The Social Care Programme made this a reality by procuring the Digital Social Care website.
In this interview with Keith, we discuss cyber security. We find out from him just what cyber security is, why it is so important and what we all need to be thinking about to keep data safe.
Demystifying Cyber Security
(in other words: don’t let the words “cyber security” put you off)
What is cyber security?
The name cyber security itself can be off-putting, even a little scary and, in many ways, I wish it were called something else. The words themselves seem to imply it is only for specially qualified, very technical professionals and not for others because it is just too complicated. This is not the case!
The National Cyber Security Centre puts it well – that cyber security is about ‘protecting the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage’.
Why is cyber security so important?
Cyber security measures should be an essential consideration when providing care and support. It is vital to any organisation that uses technology and personal data online.
Security breaches can occur in many more traditional ways in our everyday work: with paper records, sending information by fax machines or verbally. However, the consequences of security breaches with digital information are potentially far worse. This is because substantial amounts of information can be distributed more easily and to a far wider audience.
In addition, care providers potentially hold a range of health and financial information about the people they support, and it is known that cyber attacks can affect organisations of all sizes, even small ones.
- Statistics from the Department for Digital, Culture, Media and Sport Cyber Security Breaches Survey 2020, reveal that almost half of businesses (46%) and a quarter of charities (26%) report having experienced a breach or attack in the last 12 months.
- In October 2020, UK charities reported being victims of fraud or cyber crime 645 times since the start of the Covid-19 pandemic in March 20 with £3.6 million in total losses.
But these types of attacks still should not worry us unduly if we take basic security measures.
What are your top tips for social care providers when it comes to cyber security?
My first top tip is to not be afraid that cyber security is too difficult.
For personal use, we hopefully already protect our computer, laptop or smartphone by installing the latest software updates and using anti-virus protection, and it’s much the same principle when at work. We would not trust an out of date mobile phone or computer with our bank details and we certainly should not do the same with people’s records at work.
It’s important to make sure that we are backing up data to a safe place and using strong passwords (including 2-factor authentication where possible).
Crucially, we also need to be particularly aware of any suspicious emails, sometimes called phishing emails. These emails may want us to open attachments or click on links taking us to a website containing malicious software, such as malware (including ransomware). This is designed by criminals to trick us into disclosing sensitive information or payment information, which could then be used illegally.
It is therefore important to train staff so they are aware of cyber threats and know how to deal with them.
Taking the appropriate cyber security measures is vital, because of the potentially huge impact if a cyber incident occurs.
It is important to remember that if you are the victim of a cyber attack, there is guidance which tells you who to contact and where you can get help. There is also other support to help you through it, like Digital Social Care’s helpline, so you are not alone.
NHS Digital’s Data Security Centre also plays a hugely important role as technical authority on cyber for health and care. This includes arrange of guidance, such as Coronavirus Phishing Emails, monitoring national systems and networks to reduce the risk of a successful cyber attack, and helping local organisations manage their own cyber risk.
However, all organisations have a responsibility to protect the systems, information, and data they use to ensure the continued provision of top-quality care and support in both clinical and social care settings.
Think also about suppliers (your supply chain) and make sure they also are practicing best practice when it comes to data protection. Good suppliers should let you know your responsibilities and offer options to reduce your risk of cyber threats with updated advice each year.
What guidance can providers follow?
In 2017, in collaboration with NHS Digital data protection colleagues, the Care Provider Alliance and the National Cyber Security Centre, I initiated the Cyber Security Guidance for care providers which can be found on the Digital Social Care website. It helps explain cyber security, outlines the essentials that you need to know and tries to keep things as simple as possible.
Earlier in 2020, the guidance was updated to provide information that is particularly relevant for the COVID-19 pandemic, such as the security precautions you need to take if you are using video conferencing.
In November 2020, it was updated again to include new crucial guidance about what to do if you have experienced, or are experiencing, a cyber attack due to ransomware.
There are many hyperlinks in the guidance that will take you directly to trusted websites, such as the National Cyber Security Centre’s webpages. There you will find lots of further information that is ideal for all different sizes of organisations, including those in social care.
How can providers measure their performance?
I am glad to be asked this question now and not a few years ago!
When the Social Care programme started, we still had the old Information Governance (IG) Toolkit which was pretty much unknown to care providers and less than 1% of providers had completed it.
After originating the offer of NHSmail for care providers in collaboration with the NHSmail team, a formal pilot was completed at The Uplands (now the first to pilot mobile Summary Care Records). The pilot showed the great benefits of using a secure email system like NHSmail but just how hard and expensive (training, local guidance, etc.) the old IG Toolkit was for care providers to complete.
Therefore, with Mandy Thorn and Ian Turner from the Care Provider Alliance, the Social Care Programme began to work collaboratively with the NHS Data Security Centre. This work included building care provider requirements into the replacement for the IG Toolkit, the Data Security and Protection Toolkit. This subsequently led to the development of Toolkit guidance specifically for care providers, which was later published on the Digital Social Care website. Over time, this has helped raise awareness and ownership within the sector.
The work on the Toolkit is ongoing and it is being continuously improved. I would like to say a big thank you to John Hodson in particular and the wider NHS Digital Data Security Centre team, who have worked tirelessly with care providers from the start for this to occur.
My advice for care providers would be to seriously consider completing the toolkit as it is a free, online self-assessment for health and organisations to evaluate and improve their data and cyber security. Completing the toolkit will help ensure policies and systems are secure and meet data security and CQC requirements.
It will also help provide a secure foundation to use electronic solutions and share information digitally with other health and care services with peace of mind. I’ve been lucky to be involved with some fantastic Digital Social Care Pathfinder projects, where shared records are being used by care providers to receive and share information with hospitals, GPs, and others. These projects show just what can be achieved as we move towards more integrated health and social care in the future.
The Better Security, Better Care programme, in collaboration with partner organisations, will provide national and regional support for care providers completing the toolkit. I would urge all care providers to learn about what assistance is on offer.
Where can more information be found?
For more information, please visit the Digital Social Care’s Cyber Security Guidance, or contact the helpline on 0208 133 3430 Monday-Friday between 9am and 5pm or email [email protected] for free support.
A big thank you to Keith for sharing his expertise and experience.
You can read Keith’s recent interview about the ‘About Me’ project here.
View all News