Cyber resilience in care – strengthening the weakest links

In today’s interconnected world, the digital supply chain forms the backbone of countless industries, ensuring the seamless flow of information, goods and services. The care sector is no exception, and as our reliance on digital systems deepens, so does our vulnerability to cyber threats.  

Ahead of her discussion panel at the HETT 2023 conference, Michelle Corrigan, Programme Director of Better Security, Better Care explains why care services should prioritise the security of its digital supply chain, and what practical steps can be taken to strengthen it.  

Care services are a link in a much larger digital supply chain. Consider, for instance, the people and partners that you store and share information with in order to deliver quality care. It’s becoming widely recognised across the sector that the use of data across systems can have a positive impact on care delivery and outcomes. 

The introduction of Integrated Care Systems (ICS) last year is a good example of how the NHS is adapting its own structure to work collaboratively with other partners across health and social care. Services are joining up to improve the lives of people who draw upon health and social care, and sharing information is a key component of that. 

We’re seeing changes locally, too. More care services than ever are adopting digital solutions to help deliver care. Consider, for instance, the digital care planning software that many providers use to coordinate care. These sophisticated platforms help care providers maintain accurate records, streamline administrative tasks, and store lots of personal and sensitive information about service users.  

And it’s good to be using digital systems to help us do our jobs. The benefits are overwhelmingly positive and they have the potential to create innovative change for our sector.  

But in the same way we would lock away our paper files in cabinets, we need to think about the controls we have in place for our digital systems – and the supply chain is a key part of that.  

Weak links 

If you’re sharing or receiving information digitally with others, it’s important that you’re maintaining good cyber security practices. A weakness in one of your systems can trigger a domino effect, impacting not just your own business but also the partners you work with. 

Cyber criminals know this, and once they exploit a vulnerability, the impact of their actions can spread rapidly, making it difficult to stop them.  

Attacks on the supply chain are common, and cyber criminals are known to target businesses with ransomware attacks. A ransomware attack occurs when a criminal blocks access to data and demands a ransom in order to release it or prevent it from being published on the dark web. It’s one of the most insidious attacks out there and can devastate a care provider.  

The level of impact an attack like this could have on your service, and the supply chain, can very much depend on the measures your business already has in place.  

Checking and improving your own security systems is important, but there are steps care services can take to manage their digital supply chain.  

Become a resilient link  

Make sure you’re not the weak link in the supply chain. If you’re using any kind of digital system to support with any part of your business, then including cyber in your business continuity plan is a necessity – not an option.  

A robust business continuity plan not only addresses the traditional risks your business might face, but should also anticipate and mitigate against cyber disruptions that can have an equally devastating impact on your service delivery.  

Taking a proactive approach to your cyber resilience which recognises that cyber attacks are no longer a case of ‘if’ but ‘when’ will bolster your overall business stability and earn the trust of your clients, their families, and commissioners. 

Adding cyber to your business continuity plan is a relatively simple process that will tell you what to do in the event of a system going down. For example, if your rostering system went down, your business continuity plan should detail the use of backups and how backups are stored. Then you can rest assured that you have an alternative in place which means the impact on your business in the event of a cyber incident is reduced.  

If you’re sharing information digitally with others, everyone in the supply chain should be confident that you are all following good practices. A helpful way you can demonstrate that is by completing the Data Security & Protection Toolkit (DSPT).   

The DSPT is a useful tool that you can use to take a bird's eye view of your business, the digital systems you are using and the protections you have in place for each. One of the requirements requires you to list the IT suppliers your business uses.  

Good suppliers should let you know your responsibilities and offer options to reduce your risk of cyber threats. At Better Security, Better Care, we have a template you can use to list your suppliers. You can analyse them and assess which ones have access to particularly sensitive or valuable data. Consider what the implications of a cyber attack would be on one of those suppliers and check how that risk is managed.  

You can also undertake a basic assessment and achieve a Cyber Essentials certificate. You can ask your suppliers to seek out a Cyber Essentials Plus certification.  

Digital systems are transformative tools that offer great opportunities for social care. They can improve care quality, provide quicker access to critical data, and help care services to make more informed decisions for the well-being of their clients. 

Everyone in the digital supply chain has a responsibility to safeguard these systems from the pervasive threat of cyber attacks. Checking the resilience of your supply chain and strengthening your own measures is probably easier than you think, and not a bad place to start.  

Further information 

Better Security, Better Care is a national programme which support adult social care providers with their data and cyber security arrangements.