NHS Cyber Strategy: Four data protection tips for healthcare organisations

  • 8 June 2023
NHS Cyber Strategy: Four data protection tips for healthcare organisations

With the NHS increasingly targeted by cybercriminals, NHS organisations must act to defend themselves and protect the privacy and wellbeing of patients, writes Jon Fielding

Cyberattacks on hospitals can have life-threatening consequences. NHS trusts must ensure that the privacy and physical wellbeing of patients is protected at all times – something that the UK government is working to achieve through the roll out of the new NHS Cyber Strategy.

The Cyber Security Strategy for Health and Social Care aims to achieve cyber resilience across the sector by 2030 by embedding security to support emerging technology and minimise the impact and recovery time from incidents. But how exactly can these aims be best achieved?

If healthcare organisations can establish better security practices, they can more effectively safeguard their systems and the highly sensitive data that they hold. Four ways to do this are:

1. Embrace the principle of least privilege
Begin by implementing the principle of least privilege – a key tenet of Zero Trust. This is essential, as it ensures users only have access to the software, systems and applications that they need to do their job; they should not be able to access the entire corporate network. Not only does this approach help to secure data, limiting the potential damage that could be inflicted by attacks, it can also enhance productivity by streamlining the digital asset portfolios of each individual employee.

2. Eliminate unmanaged devices
The principle of least privilege should then be paired with the effective management of devices being used to access networks. Unmanaged devices can reduce visibility, undermine security protocols, and expand an organisation’s attack surface, enabling cybercriminals to exploit user endpoints much more easily. Ensuring that only IT-approved devices are provisioned access to a network is critically important.

3. Encrypt data as standard
All data should be encrypted across managed devices as standard and in hardware wherever possible, as this generally offers much greater security than software encryption. For example, hardware encrypted, PIN pad authenticated USB storage devices can offer the highest level of data protection whilst eliminating the risk of keylogging and screen capture, as well as removing specific operating system usage restrictions. This is an easy way to mitigate human error and ensure compliance with modern security legislation.

4. Establish a sound backup strategy
While cyber resiliency is important, it must be coupled with effective recovery practices, enabling healthcare organisations to respond effectively and at speed, in the event that a breach does occur. Here, a backup strategy should be implemented, ideally leveraging the 3-2-1 rule that advises organisations keep at least three copies of data, on at least two different mediums, with at least one copy stored off-site. Maintaining physical backups even if cloud storage is used is essential in case the cloud provider experiences downtime and/or faces a breach. With all bases covered, firms will be well placed to facilitate a speedy and reliable recovery.

Of course, there are many other layers to the new Cyber Security Strategy for Health and Social Care. Awareness, education, and training for example, are highlighted as a strong tool in helping to reduce any potential carelessness associated with breaches. Such efforts must also be backed by the right protocols, processes and technologies to rein in responsibility from employees, minimise human error, and drive security best practices.

By adopting the right tools, expertise and solutions, organisations can make some simple yet profoundly important steps to ensure they are aligned with best security practices.

In following these four steps, healthcare institutions will be well placed to achieve an effective, multi-layered security capable of mitigating modern cyber threats.

Jon Fielding Jon Fielding is managing director, EMEA for Apricorn.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Alder Hey Children's NHS Foundation Trust has announced that the cyber attack it suffered last week has impacted two more hospitals.
Major cyber security incident declared at Merseyside hospital

Major cyber security incident declared at Merseyside hospital

A “major incident” has been declared at Wirral University Teaching Hospital NHS Foundation Trust “for cyber security reasons”.
Barts Health rolls out Cynerio cyber security platform

Barts Health rolls out Cynerio cyber security platform

Barts Health NHS Trust has rolled out Cynerio’s healthcare-focused cyber security platform across all of its sites.

1 Comments

  • The NHS needs to start developing a cyber culture across the whole organisation where all employees understand their role and what they can do to mitigate the risk. It cant be left to IT departments alone to find solutions. IT departments are increasingly stretched with to do lists that only ever seem to grow. The 4 points raised by Jon are important but need to aligned with people and process and are only the starting point. I wonder why people seem to understand and take steps to protect themselves at home in their personal usage of IT, but seem to think they dont need to apply the same due diligence when they walk through the office door? Is there a way of freeing up IT resources to help champion the cyber culture and helping make locking a PC second nature when its not in use. We seem to be able to lock and unlock smart phones easily enough. Just some thoughts and opinions on a sunny friday into what is a massive subject. Regards

Comments are closed.