Cyber fraud and its impact on the NHS: How organisations can manage the risk

Similar documents
DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Personal Cybersecurity

Cybersecurity The Evolving Landscape

A practical guide to IT security

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre

Nine Steps to Smart Security for Small Businesses

Cybersecurity. Securely enabling transformation and change

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Sage Data Security Services Directory

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Unit 3 Cyber security

Cyber Criminal Methods & Prevention Techniques. By

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Security by Default: Enabling Transformation Through Cyber Resilience

Governance Ideas Exchange

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Cyber Resilience. Think18. Felicity March IBM Corporation

Understanding the Changing Cybersecurity Problem

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Internet of Things Toolkit for Small and Medium Businesses

Cyber Security Strategy

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

The University of Queensland

Patient Information Security

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Defending Our Digital Density.

The Cyber War on Small Business

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cyber Security. Building and assuring defence in depth

Cybersecurity and Nonprofit

How Cyber-Criminals Steal and Profit from your Data

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

2015 HFMA What Healthcare Can Learn from the Banking Industry

Chapter 12. Information Security Management

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Service Provider View of Cyber Security. July 2017

Cyberspace : Privacy and Security Issues

The hidden cost of smart buildings

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

SHS Annual Information Privacy and Security Training

mhealth SECURITY: STATS AND SOLUTIONS

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

DIGITAL TRUST Making digital work by making digital secure

CYBER RESILIENCE & INCIDENT RESPONSE

Executive Insights. Protecting data, securing systems

Information Security Controls Policy

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Cybersecurity Survey Results

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

ISACA West Florida Chapter - Cybersecurity Event

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

External Supplier Control Obligations. Cyber Security

Cybersecurity for Health Care Providers

Cybersecurity glossary. Please feel free to share this.

Cybersecurity and Hospitals: A Board Perspective

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Cyber risk Getting the boardroom focus right

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

A new approach to Cyber Security

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Cyber Risks in the Boardroom Conference

REGULATORY GUIDANCE. Cyber Security

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Keys to a more secure data environment

Cyber and data security How prepared is your charity?

Business continuity management and cyber resiliency

Cyber Insurance: What is your bank doing to manage risk? presented by

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Unified Communications Phase 2 Presentation to IT Services Users Group

You ve Been Hacked Now What? Incident Response Tabletop Exercise

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

with Advanced Protection

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Getting ready for GDPR

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

New Zealand National Cyber Security Centre Incident Summary

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

How Breaches Really Happen

NEN The Education Network

Education Network Security

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Defense in Depth Security in the Enterprise

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Transcription:

Cyber fraud and its impact on the NHS: How organisations can manage the risk Chair: Ann Utley, Preparation Programme Manager, NHS Providers Arno Franken, Cyber Specialist, RSM Sheila Pancholi, Partner, RSM

CYBER SECURITY NOT JUST FOR IT STAFF

To discuss Background and introduction Why cyber risk management is increasingly challenging Cyber risk & NHS Examples external and internal How everyone has a role to play in cyber risk management

Cyber risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Institute of Risk Management 11 Jun 2014

The challenges. 253 days is the average number of days it takes an organisation to realise that they have been successfully attacked. 90% of large UK organisations had a security breach in 2014 (an increase of 81% from 2013) 90% of all successful cyberattacks rely on human vulnerability to succeed. 69% of all large organisations were attacked by an unauthorised outsider in 2014 (an increase of 55% from the previous year) 59% of UK businesses expect attacks to increase next year 1 person can enable an attacker to compromise your systems and access your most valuable information. Why would they attack us?!

The challenges its increasing, why?

It s increasing why? The inherent risks Increasing network connections, dependencies, and trust relationships. Increasing sophistication. Decreasing costs. Technicality of many perpetrators decreasing. Increasing attack frequency. Our staff have the knowledge so they need to be educated!

More than 50% of NHS acute trusts now have electronic patient record systems; a key litmus test and one that suggests many organisations now depend on IT to carry out their work and care for patients Digital Health Intelligence May 2016

Are cyber threats a reality for the NHS? NHS Orkney Suffered a ransomware attack, where systems were infected by a virus that locked down its internal files. Files were restored from a back-up. Royal Berkshire NHS Foundation Trust Postponed operations after a virus infected systems from an email. Anthem January 2015 saw health insurer Anthem endure a security breach affecting the records of nearly 80 million people. Source: http://www.digitalhealth.net/cybersecurity/47634/cybersecurity-is-critical-to-the-future-of-the-nhs

The NHS faces over 2000 data breaches a year, including 124 instances "relating to IT systems." International Business Times

Cyber risk and NHS Context: There is reduced public confidence in data management within the NHS 1. Increase in recent years of cases of poorly handled data 2. ICO subsequently now has the power to enforce mandatory audits in any public healthcare organisation So where are the risks? 1. Ransomware 2. Data being posted or faxed incorrectly 3. Loss or theft of paperwork 4. Emails being sent to the wrong recipient 5. Loss of theft of unencrypted devices 6. Not redacting data in documents to third parties.

In a study by Sophos of 250 NHSemployed CIOs, CTOs and IT managers, 76% said they have suitable protection against cybercrime and data loss, and 72% claimed data loss is their biggest concern in terms of IT security.

What can be done to mitigate risk? 1. Staff training 2. Regular password changes 3. Control of USBs 4. Password protected printing 5. Privacy impact assessment in the face of increasingly digitalisation 6. Network vulnerability and penetration testing 7. Open and transparent culture in reporting and responding to information governance issues

Cyber-crime Typical methods Social engineering email staff, impersonation. Website research. Systems scanning. Use known and unknown exploits. Malware - viruses, trojans & worms. Attack partner networks to gain access to yours. Brute force passwords. Denial of service. Ransomware

Phishing and whaling Phishing Targeting many individuals, mainly with blanket e-mails, and hoping that some will follow links, open attachments, reply with information or transfer funds Whaling Targeting a small group of individuals with significant data access (often disguised as a manager/ceo) and requesting personal information, bank details changes, or a large funds transfer

Cyber-crime typical methods Social engineering - psychological manipulation of people. Phishing - receipt of emails. Phone phishing. Baiting. Tailgating.

Cyber-crime typical methods Malware - malicious Software - deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software. Viruses - conceal, infect, multiply deliver a payload. Worms - programs that are capable of independently propagating throughout a computer network- fast replication. Trojan Horses - programs that contain hidden functionality that can harm the host computer and the data it contains. Software Bombs. Time Bombs - triggered by a specific time/date. Logic Bombs - triggered by a specific event.

Motivations The challenge... because it s there! Money (extortion, theft, intellectual property). Espionage. Ideology. Disruption. Revenge.

Impact of cyber-crime and on-line fraud Financial loss. Loss to availability of critical operations. Loss of confidential information staff, clients and your third parties. Loss to reputation. Harassment. Loss of intellectual property.

Cyber risk management Cyber Security is the ability for an organisation to resist, respond and recover from incidents that will impact the information they require to do business. What does good look like?

What you need to protect Customer data. Supplier data. Staff data. Financial data. System availability. Reputation. Wider stakeholders. The list goes on

Insight from the clients We need to develop a coherent cyber resilience strategy We need to know what our critical information assets are We need a cyber smart workforce and partner network We need to embed good practices across our organization We need to communicate and understand more effectively across the organization We need to understand how we will respond and recover from attack more effectively

The need for risk management INFORMATION SECURITY Confidentiality Integrity Availability Authenticity People Process Technology Security policy Regulatory compliance User awareness program Access control Security audit Incident response Encryption, PKI Firewall, IPS/IDS Antivirus

Everyone has a role to play. The Human Factor The challenge 90% NEED TO INFLUENCE AND ENABLE POSITIVE CHANGE IN USER BEHAVIOURS

All staff need to be risk aware Phishing Social engineering Online safety Social media BYOD Removable data Password safety Personal information Information handling Remote and mobile working

Be proactive What you need Get the basics right Understand your cyber fraud risks! (if you don t, where do you start?). Be realistic & proportionate. Two stage approach: essentials; and technical. Clear and concise policies & procedures (which are fit for purpose and being complied with). Response plans. Education & awareness. On-going review.

In summary The frequency is increasing. The impact is increasing. Risk management is therefore key. Strong security governance structures are needed. An integrated and holistic control environment is needed. Responsibility doesn t just sit with the IT department. It starts with senior management.

Cyber security forums and further information Some useful references HSCIC Cyber Security Programme (CSP) CareCERT Project : http://www.hscic.gov.uk/carecert Think Healthcare http://think.events/healthcare.html Cyber Security In Healthcare http://www.csihshow.co.uk/news/ NHS Cyber Security Far Weaker Than Thought http://www.techweekeurope.co.uk/security/security-management/nhscyber-security-sophos-encryption-184224

Cyber security forums and further information Some useful sites www.ukcybersecurityforum.com www.securityforum.org www.cybersecuritysummit.co.uk www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime www.cyber.uk/cyber-crime

Our response Cyber security gap analysis Built around CESG principles Rapid response to issues Controls assessment Controls testing

Summary of challenges Keep value of the business in the business Maintain reputation Balance opportunities and risk Good incident management Need to communicate effectively during business as usual and during crisis Need to identify and manage what good cyber resilience looks like Need to influence and enable positive change in user behaviours

QUESTIONS AND ANSWERS?

Thank you Please fill in your evaluation form online http://www.smartsurvey.co.uk/s/nhs PGov16/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback