Latest Blog

Cyber Threats in The Care Sector

Alan Ford

Care Insurance

GDPR

It’s been over a year since the General Data Protection Regulation (GDPR) rolled out and statistics show that almost a third of European firms are still not compliant. Centric to GDPR is information security and in an ever increasingly digital world Cyber security has to be taken seriously.

Indeed under the CQC’s “Safe” Category they now include technology in care and stipulate that GDPR amongst other regulations need to be adhered to. Failure to comply or burying your head in the sand will impact your registration and may result in action being taken by the Information Commissioners Office (ICO).

Known Threats

It’s important to have a basic understanding of the types of cyber threats which you need to protect yourself from. Whilst not an exhaustive list, here’s some basic terms you may have heard of and a description of what they actually mean;

Denial of Service (DOS/DDOS) Attack- (DOS) attack prevents users from accessing a computer or website. Also referred to as DDoS (distributed denial of service).

Malware -  A general term for malicious software which includes viruses, worms, Trojans and spyware.

Spyware - Software that permits advertisers or hackers to gather sensitive information about you without your permission.

Phishing Emails - Refers to the process of deceiving recipients into sharing sensitive information with an unknown third party.

Key-logging - The process of secretly recording keystrokes by unauthorised third party

Spoofing (Email) - Where a sender of an email address is forged for the purposes of social engineering

Social Engineering - Refers to the methods attackers use to deceive victims into performing an action, typically these actions are opening a malicious webpage or running an unwanted file attachment.

Future Threats

Cyber risks are in their infancy and new threats and exploits appear all the time, usually in response to the latest measures to minimise the current threats.

It’s important that cyber security reviews are undertaken on a regular basis and effort made to stay abreast of developments. Appointing a Data Protection Champion is essential and training and empowering that individual to ensure that you’re doing all that can reasonably be expected to prevent any unauthorised access to your data or your systems is key.

Online Care Records

Many Care services regularly access the NHS Care Records on behalf of their service users. Any access to such databases need to be controlled and protected to avoid your organisation being the result of a breach which could lead to a hefty penalty or litigation.

Aging Hardware

Like the motor vehicle you keep on the roadside which are more likely to fail an MOT or service the longer you keep them, computer equipment too requires attention and the odd tune-up on a regular basis. Your network will only ever be as security as your weakest (and often oldest) machine. When you’re considering updating the office laptop, don’t forget the dusty PC tower which lie hidden in the corner!

Internet of Things

An often overlooked exposure in the Care sector is the very technology which is being used to make residents safer and providing them with everyday comforts and a safe living environment. The Internet of Things relates to everyday items and tools which have been enhanced with internet connectivity. Examples are Smart Doorbell’s, Smart Locks, automatic lighting and heating etc. We often think that hackers will only attack computer systems and usually want to steal data, but what if the camera’s placed around the property are the computers and the footage the data? What if they’re able to track security codes via keylogging?

Considering the known threats above could you operate without access to;

  • Your service users files and medical information?
  • Your Nurse call System?
  • Heating and Lighting controls?
  • A secure premises?

Continuity planning is a key component to ensure your operations can continue in the event the access to your systems in compromised.

Enforcements for non-compliance with GDPR are happening and whether we like it or not all businesses have a degree of exposure which we’re responsible for minimising.

Whilst the buzz of GDPR has quieted down over recent months the new responsibilities remain as important as ever and it’s only a matter of time before a major incident is reported which gains mass media attention (and likely a hefty fine from the ICO). The message is clear, don’t become a headline, be proactive and take your cyber security seriously.

Back to all news