Cyber fraud and its impact on the NHS: How organisations can manage the risk Chair: Ann Utley, Preparation Programme Manager, NHS Providers Arno Franken, Cyber Specialist, RSM Sheila Pancholi, Partner, RSM
CYBER SECURITY NOT JUST FOR IT STAFF
To discuss Background and introduction Why cyber risk management is increasingly challenging Cyber risk & NHS Examples external and internal How everyone has a role to play in cyber risk management
Cyber risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Institute of Risk Management 11 Jun 2014
The challenges. 253 days is the average number of days it takes an organisation to realise that they have been successfully attacked. 90% of large UK organisations had a security breach in 2014 (an increase of 81% from 2013) 90% of all successful cyberattacks rely on human vulnerability to succeed. 69% of all large organisations were attacked by an unauthorised outsider in 2014 (an increase of 55% from the previous year) 59% of UK businesses expect attacks to increase next year 1 person can enable an attacker to compromise your systems and access your most valuable information. Why would they attack us?!
The challenges its increasing, why?
It s increasing why? The inherent risks Increasing network connections, dependencies, and trust relationships. Increasing sophistication. Decreasing costs. Technicality of many perpetrators decreasing. Increasing attack frequency. Our staff have the knowledge so they need to be educated!
More than 50% of NHS acute trusts now have electronic patient record systems; a key litmus test and one that suggests many organisations now depend on IT to carry out their work and care for patients Digital Health Intelligence May 2016
Are cyber threats a reality for the NHS? NHS Orkney Suffered a ransomware attack, where systems were infected by a virus that locked down its internal files. Files were restored from a back-up. Royal Berkshire NHS Foundation Trust Postponed operations after a virus infected systems from an email. Anthem January 2015 saw health insurer Anthem endure a security breach affecting the records of nearly 80 million people. Source: http://www.digitalhealth.net/cybersecurity/47634/cybersecurity-is-critical-to-the-future-of-the-nhs
The NHS faces over 2000 data breaches a year, including 124 instances "relating to IT systems." International Business Times
Cyber risk and NHS Context: There is reduced public confidence in data management within the NHS 1. Increase in recent years of cases of poorly handled data 2. ICO subsequently now has the power to enforce mandatory audits in any public healthcare organisation So where are the risks? 1. Ransomware 2. Data being posted or faxed incorrectly 3. Loss or theft of paperwork 4. Emails being sent to the wrong recipient 5. Loss of theft of unencrypted devices 6. Not redacting data in documents to third parties.
In a study by Sophos of 250 NHSemployed CIOs, CTOs and IT managers, 76% said they have suitable protection against cybercrime and data loss, and 72% claimed data loss is their biggest concern in terms of IT security.
What can be done to mitigate risk? 1. Staff training 2. Regular password changes 3. Control of USBs 4. Password protected printing 5. Privacy impact assessment in the face of increasingly digitalisation 6. Network vulnerability and penetration testing 7. Open and transparent culture in reporting and responding to information governance issues
Cyber-crime Typical methods Social engineering email staff, impersonation. Website research. Systems scanning. Use known and unknown exploits. Malware - viruses, trojans & worms. Attack partner networks to gain access to yours. Brute force passwords. Denial of service. Ransomware
Phishing and whaling Phishing Targeting many individuals, mainly with blanket e-mails, and hoping that some will follow links, open attachments, reply with information or transfer funds Whaling Targeting a small group of individuals with significant data access (often disguised as a manager/ceo) and requesting personal information, bank details changes, or a large funds transfer
Cyber-crime typical methods Social engineering - psychological manipulation of people. Phishing - receipt of emails. Phone phishing. Baiting. Tailgating.
Cyber-crime typical methods Malware - malicious Software - deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software. Viruses - conceal, infect, multiply deliver a payload. Worms - programs that are capable of independently propagating throughout a computer network- fast replication. Trojan Horses - programs that contain hidden functionality that can harm the host computer and the data it contains. Software Bombs. Time Bombs - triggered by a specific time/date. Logic Bombs - triggered by a specific event.
Motivations The challenge... because it s there! Money (extortion, theft, intellectual property). Espionage. Ideology. Disruption. Revenge.
Impact of cyber-crime and on-line fraud Financial loss. Loss to availability of critical operations. Loss of confidential information staff, clients and your third parties. Loss to reputation. Harassment. Loss of intellectual property.
Cyber risk management Cyber Security is the ability for an organisation to resist, respond and recover from incidents that will impact the information they require to do business. What does good look like?
What you need to protect Customer data. Supplier data. Staff data. Financial data. System availability. Reputation. Wider stakeholders. The list goes on
Insight from the clients We need to develop a coherent cyber resilience strategy We need to know what our critical information assets are We need a cyber smart workforce and partner network We need to embed good practices across our organization We need to communicate and understand more effectively across the organization We need to understand how we will respond and recover from attack more effectively
The need for risk management INFORMATION SECURITY Confidentiality Integrity Availability Authenticity People Process Technology Security policy Regulatory compliance User awareness program Access control Security audit Incident response Encryption, PKI Firewall, IPS/IDS Antivirus
Everyone has a role to play. The Human Factor The challenge 90% NEED TO INFLUENCE AND ENABLE POSITIVE CHANGE IN USER BEHAVIOURS
All staff need to be risk aware Phishing Social engineering Online safety Social media BYOD Removable data Password safety Personal information Information handling Remote and mobile working
Be proactive What you need Get the basics right Understand your cyber fraud risks! (if you don t, where do you start?). Be realistic & proportionate. Two stage approach: essentials; and technical. Clear and concise policies & procedures (which are fit for purpose and being complied with). Response plans. Education & awareness. On-going review.
In summary The frequency is increasing. The impact is increasing. Risk management is therefore key. Strong security governance structures are needed. An integrated and holistic control environment is needed. Responsibility doesn t just sit with the IT department. It starts with senior management.
Cyber security forums and further information Some useful references HSCIC Cyber Security Programme (CSP) CareCERT Project : http://www.hscic.gov.uk/carecert Think Healthcare http://think.events/healthcare.html Cyber Security In Healthcare http://www.csihshow.co.uk/news/ NHS Cyber Security Far Weaker Than Thought http://www.techweekeurope.co.uk/security/security-management/nhscyber-security-sophos-encryption-184224
Cyber security forums and further information Some useful sites www.ukcybersecurityforum.com www.securityforum.org www.cybersecuritysummit.co.uk www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime www.cyber.uk/cyber-crime
Our response Cyber security gap analysis Built around CESG principles Rapid response to issues Controls assessment Controls testing
Summary of challenges Keep value of the business in the business Maintain reputation Balance opportunities and risk Good incident management Need to communicate effectively during business as usual and during crisis Need to identify and manage what good cyber resilience looks like Need to influence and enable positive change in user behaviours
QUESTIONS AND ANSWERS?
Thank you Please fill in your evaluation form online http://www.smartsurvey.co.uk/s/nhs PGov16/