Building resilience in the cyber procurement process

  • 26 August 2021
Building resilience in the cyber procurement process

In a feature for Digital Health, Elizabeth Giugno, head of category for cyber security at Crown Commercial Services (CCS) explores how to build resilience and strengthen the cyber procurement process in healthcare.

The NHS has seen a significant increase in cyber attacks since the beginning of the pandemic. This is due to increasing digitalisation, remote working and the significant value that health data holds on the dark web, making the NHS an ideal target for opportunistic cyber criminals.

The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber security incidents. The NCSC’s fourth annual review in November 2021 revealed that 723 incidents had been handled between 1 September 2019 and 31 August 2020, an increase from the average of 602 incidents annually in the previous 3 years. More than 200 of the 723 reported incidents related to coronavirus and NCSC deployed experts to help the healthcare sector.

These attacks are predominantly ransomware attacks where cyber criminals use malicious software to block access to computer systems and threaten to release the organisation’s sensitive data, unless the ransom is paid. The impact of a ransomware attack can be devastating.

Wannacry – one of the most well-known examples of a ransomware attack – cost the NHS £92million in 2017 and brought the NHS to a standstill for several days, affecting more than 600 healthcare organisations. Not only were thousands of appointments and operations cancelled, but staff were also left unable to access the key systems that they depended on.

For the NHS, cyber security isn’t only a challenge – it’s an obstacle to digital transformation and the effective provision of services. NHS attacks are calculated – they’re resourceful. Criminals that target the NHS’s data, networks and systems are often politically motivated and looking to steal specific information.

Five steps to building resilience to cyber attacks:

Building cyber resilience is about strengthening cyber security to increase confidence and ensure that in the event of an attack, not only can the NHS continue to operate, but that they will also recover quickly. Resilience means continuous, uninterrupted access to data whilst remaining secure and protected.

As threats continue to increase in frequency and sophistication, so must our preventative measures, which should include:

  1. Understanding critical assets

The first step to building resilience is having a strong understanding of the organisation’s critical assets. These are resources that are fundamental to maintaining operations. Ask yourself: What impact would an attack have, and what are your critical assets?

The NHS’s critical assets include medical and sensitive patient data which is more valuable to cyber criminals than any financial data. It is imperative that it is protected in the event of an attack. Managing back-ups is an essential part of this process – rapid recovery is dependent on how regularly these back-ups are carried out.

  1. Developing an incident response plan

A thorough incident response plan is crucial to resilience as this will ensure that the NHS can recover quickly from attack.

An incident response plan collects together the coordinating functions which guide, inform and support the whole response process. It encompasses a number of aspects, including triaging and categorising of an incident through to core response.

  1. Educating employees 

Phishing emails, which dupe staff into opening them and exposing the organisation to phishing attacks, have become more frequent and sophisticated during the pandemic. This shows the importance of creating a strong cyber security culture.

It is essential that employees understand cyber threats, the potential risk, and their role in mitigating incidents. Educating your employees, increasing awareness and providing strong governance and training can all assist in building cyber resilience.

  1. Keeping up to date with emerging cyber threats

New advanced threats are being discovered daily. Resilience is also the detection of threats and increasing both your understanding of the threat landscape and threat intelligence. Taking a proactive approach to cyber security is essential in ensuring that organisations are aware of threats to allow for methods to be adjusted.

  1. Developing a Business Continuity Disaster Recovery plan

All healthcare organisations should have sufficient business continuity disaster recovery (BCDR) methods in place to make sure they can resume normal operations in the event of an attack. It should include a complete approach to keeping your team productive during planned or unplanned disruptions such as a cyber attack.

The BCDR plan builds resilience by reducing the risk of data loss and enhancing operations, detailing emergency contacts and key staff.

Steps to strengthening cyber defences through the procurement process

With cyber criminals targeting supply chains and recent attacks such as Solar Winds, procurement can be an increasing concern for the NHS.

The NHS has an extremely complex supply chain and relies on a large range of suppliers. These companies are critical to maintaining our health service, however with criminals often targeting the weakest link within supply chains, they also pose significant risk.

So how can the procurement process help reduce these risks?

One of the biggest supply chain challenges can be a supplier’s understanding or competence when it comes to cyber security. Accreditation is increasingly important for the NHS in strengthening cyber defences within the procurement process. Buying through a framework ensures that your suppliers have had vetting checks such as Cyber Essentials.

Cyber Essentials is a government-backed scheme that allows organisations to carry out a cyber self-assessment, and provides an understanding of the organisation’s security levels. This will mean that your supplier has taken steps to safeguard their business against cyber threats and will assist in strengthening cyber defences within your supply chain.

A further step would be to request Cyber Essential Plus which offers additional protections as it includes a technical audit of suppliers systems as opposed to the self assessment in Cyber Essentials.

NCSC Assured Suppliers

When buying cyber security services, there are additional certifications you can look for from a supplier. The NCSC offers assurance for a range of services including consultancy, incident response and penetration testing.

The advantages in using NCSC assured suppliers to manage supply chain risk are that they will have:

  • Met the NCSC’s standards and have a proven track record in delivering high quality consultancy services
  • A defined process for working with customers to understand their needs
  • Demonstrated a clear understanding of current and potential cyber threats and techniques and potential effective mitigations
  • Been independently and rigorously assessed
  • Shown that they act with integrity objectivity and proportionality
  • Protect the customer’s confidentiality and integrity and comply with relevant laws and regulations
  • A commitment to continuously improve the services offered

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Trust reverses £65m EPR procurement decision after court claim

Trust reverses £65m EPR procurement decision after court claim

Mersey and West Lancashire Teaching Hospitals NHS Trust has withdrawn its decision to award a £65m EPR contract following a legal challenge.
How to find your inner ‘cyber defender’

How to find your inner ‘cyber defender’

A "back to basics" and "honest" approach to personal cyber security can help NHS staff make larger improvements at work, writes Nasser Arif.
Trust to file ‘robust defence’ against EPR procurement court claim

Trust to file ‘robust defence’ against EPR procurement court claim

Mersey and West Lancashire Teaching Hospitals Trust to file 'robust defence' against a claim it broke procurement law over an EPR contract.