The importance of business continuity planning in the event of a cyber attack

The importance of business continuity planning in the event of a cyber attack

“The fallout has been difficult but it hasn’t put us off going digital, we’re in the 21st century, it simply isn’t an option.”

Last summer, a widespread cyber-attack impacting both the NHS and social care was the cause for significant disruption to many care service’s software systems. This care provider, who wishes to remain anonymous, was one of the many unfortunate business owners who were forced to operate without a key system in place to support their service.

Although the provider had all the relevant and appropriate cyber security infrastructure in place, the service was disrupted by a ransomware attack targeted at their software supplier.

The care manager explains:

“One minute the information was there and the next minute it was all gone. The supplier communicated with us that they had suffered a ransomware attack and they were working to get it back up and running. However, this didn’t happen, and the system is still down several months later.”

Fortunately, the company had a business continuity plan in place which included a strong cyber security element. As the manager explains:

“Luckily we had a business continuity plan in place which included steps we would take if we were hit by a cyber-attack. We had already been backing up and downloading our employee rosters as part of this plan, so when the attack happened we were able to check our downloaded rosters and move these over to a spreadsheet.”

The service was able to continue operations thanks to the practices laid out in their business continuity plan and have since began implementing an alternative staff rostering system with a new supplier. Some small changes have been made since the attack, as the manager explains:

“Since the attack there have been many more due diligence checks with companies who are part of our supply chain. We ask a lot of questions and vet them as much as possible to try and prevent anything like this from happening again.”

“The experience hasn’t put us off from going digital. Cyber security is a question of due diligence and constant review. It isn’t a question of if you’re going to get hit by a cyber-attack, it’s a question of when. The world is moving constantly into the digital workspace and we need to develop our protections as hackers develop their attack.”

Whilst there is no fool proof strategy to avoiding a cyber-attack, there are steps that providers can take to minimise the impact of one. Business continuity planning is a relatively simple process that could save you time and money in the event of a cyber incident. We have guidance and templates available on creating and testing a business continuity plan for data and cyber security.

It is also worth putting time aside to complete the Data Security & Protection Toolkit (DSPT). This is a self-assessment tool that all CQC registered providers should complete annually, and will help you to check and evaluate the systems you have in place that support good data security practices. There is free support available through the Better Security, Better Care programme.


Photo by KeepCoding on Unsplash

Back to Success Stories