27th September 2019 Written by Skills for Health

Image: Cybsafe - cyber security.What is cyber security?

Many people will wrongly assume that cyber security is all about technology, and if you have a piece of software or system in place that protects your organisation, nothing can go wrong.

The common misconception that technology is the only contributing factor in determining if your organisation is secure or not, is not only a huge risk to your patients and service users, but also to your staff. Technology is of course a key component that is required to reduce the risk of cyber-attack, but there are two other considerable factors that many may neglect.

Cyber security is essentially one element that needs careful consideration, forming part of your organisations overarching information security management processes. The three pillars of cyber security focus on People, Processes and Technology.

What are the three pillars and what do they mean?

As mentioned, cyber security is based on three pillars. For the most part, technology and process can be implemented and support organisations in delivering a robust plan to tackle cyber security. The third pillar, which focuses on people and behaviour, may mean organisations need to consider a long-term approach to embed good working practices amongst their workforce to enhance cyber security.

‘People’ naturally is the pillar that has the most amount of risk associated with it, as human error and human intervention is more difficult to predict and guarantee than systems and software. Training, awareness and resources are therefore key to supporting the workforce in being the ultimate defence against cyber-attacks.

‘Processes’ are an element of the three pillars that ultimately rely on having the right technology and the right training of people, in order to be successful. Processes could include auditing, frameworks, risk assessments and the use of management systems to support best practice. Processes rely on the people who follow them, and the training your workforce receive to be able to adhere to them.

‘Technology’ is of course crucial to managing and reducing the risk of cyber-threats to an organisation, particularly in the NHS, where records and potentially sensitive data is shared across hundreds of people, systems and buildings. The NHS simply could not survive without access to this data, and instances like ‘WannaCry’ identified just how reliant the UK health sector is on technology and access to data. The more that the healthcare workforce rely on technology and systems to provide better patient care, the more critical it is to have the correct software in place to protect those processes and access of data. Technology is, however, only as good as the people using it, so it’s vital to choose technology that meets the needs of the workforce and is simple yet effective for staff to manage.

It’s vital that every person in your workforce, including volunteer and contractors, are aware of their role and responsibility in reducing the risk of cyber threats. Individuals in your workforce may need additional training to enhance their knowledge, particularly if handling sensitive data such as patient and staff records. Nonetheless, all staff in the workforce need a basic level of training and awareness, to reduce the risk of cyber attacks such as the WannaCry attacks in 2017.

How can the NHS improve cyber security?

Technology and how it is implemented to support the UK healthcare workforce has been top of the agenda for some time, with a key aim from the NHS Interim People Plan being to ‘Develop a workforce to deliver 21st century care’, using technology and innovation.

With new technology, comes new challenges and risks, and it’s crucial for NHS leaders to identify these risks when implementing any new technologies or processes to their organisation, as well as maintaining cyber security throughout their existing channels.

Ultimately, ‘people’ are the number one factor that can make or break a robust cyber security programme for organisations. With appropriate training, awareness raising and guidance, the NHS can support the workforce to be the ultimate defence against cyber threats.

Every person working in the NHS has responsibility, and employers have a responsibility to support their workforce with ongoing training.

Skills for Health have recently launched a new partnership with CybSafe, the world’s first intelligent cyber security awareness, behaviour and culture platform that reveals and responds to reliable metrics and data-driven insights to actively manage human cyber risk. The new partnership is perfectly suited for healthcare organisations to understand, train and embed cyber security best practice, and ensure the healthcare workforce are well-equipped to manage cyber threats.

Want to know more about CybSafe? Get in touch today.