NHS Cyber Strategy: Four data protection tips for healthcare organisations

With the NHS increasingly targeted by cybercriminals, NHS organisations must act to defend themselves and protect the privacy and wellbeing of patients, writes Jon Fielding

Cyberattacks on hospitals can have life-threatening consequences. NHS trusts must ensure that the privacy and physical wellbeing of patients is protected at all times – something that the UK government is working to achieve through the roll out of the new NHS Cyber Strategy.

The Cyber Security Strategy for Health and Social Care aims to achieve cyber resilience across the sector by 2030 by embedding security to support emerging technology and minimise the impact and recovery time from incidents. But how exactly can these aims be best achieved?

If healthcare organisations can establish better security practices, they can more effectively safeguard their systems and the highly sensitive data that they hold. Four ways to do this are:

1. Embrace the principle of least privilege
Begin by implementing the principle of least privilege – a key tenet of Zero Trust. This is essential, as it ensures users only have access to the software, systems and applications that they need to do their job; they should not be able to access the entire corporate network. Not only does this approach help to secure data, limiting the potential damage that could be inflicted by attacks, it can also enhance productivity by streamlining the digital asset portfolios of each individual employee.

2. Eliminate unmanaged devices
The principle of least privilege should then be paired with the effective management of devices being used to access networks. Unmanaged devices can reduce visibility, undermine security protocols, and expand an organisation’s attack surface, enabling cybercriminals to exploit user endpoints much more easily. Ensuring that only IT-approved devices are provisioned access to a network is critically important.

3. Encrypt data as standard
All data should be encrypted across managed devices as standard and in hardware wherever possible, as this generally offers much greater security than software encryption. For example, hardware encrypted, PIN pad authenticated USB storage devices can offer the highest level of data protection whilst eliminating the risk of keylogging and screen capture, as well as removing specific operating system usage restrictions. This is an easy way to mitigate human error and ensure compliance with modern security legislation.

4. Establish a sound backup strategy
While cyber resiliency is important, it must be coupled with effective recovery practices, enabling healthcare organisations to respond effectively and at speed, in the event that a breach does occur. Here, a backup strategy should be implemented, ideally leveraging the 3-2-1 rule that advises organisations keep at least three copies of data, on at least two different mediums, with at least one copy stored off-site. Maintaining physical backups even if cloud storage is used is essential in case the cloud provider experiences downtime and/or faces a breach. With all bases covered, firms will be well placed to facilitate a speedy and reliable recovery.

Of course, there are many other layers to the new Cyber Security Strategy for Health and Social Care. Awareness, education, and training for example, are highlighted as a strong tool in helping to reduce any potential carelessness associated with breaches. Such efforts must also be backed by the right protocols, processes and technologies to rein in responsibility from employees, minimise human error, and drive security best practices.

By adopting the right tools, expertise and solutions, organisations can make some simple yet profoundly important steps to ensure they are aligned with best security practices.

In following these four steps, healthcare institutions will be well placed to achieve an effective, multi-layered security capable of mitigating modern cyber threats.

Jon Fielding is managing director, EMEA for Apricorn.