This week, the BBC TV series Casualty and Holby City were hit by a devastating cyber-attack in a crossover joint episode. Healthcare establishments may be used to treating infectious diseases on a daily basis, but when Holby and Casualty are hit by a computer virus this week, the whole building is thrown into total panic!
During this catastrophic cyber breach, vital computer software is wiped, medical equipment is disabled, and medical staff are thrown into chaos. The dramatic episode which marks the 20-year anniversary of Holby City, sees the hospital wards plunged into complete pandemonium.
How did the cyber-attack affect Holby City?
The issues began when vital hospital machinery begins to falsely report that patients were going into cardiac arrest. Soon it becomes clear that their systems have been hacked and they are under attack! Many of the vital machines were affected including automated monitoring equipment, life support machines and CT scanners. This lack of technology throws the medical staff back into the dark ages. Without this life saving medical equipment patients’ lives are in serious jeopardy.
What are the potential consequences of an NHS cyber-attack?
- A cyber-attack could impact medical equipment. Worst case scenario if emergency medical equipment is corrupted, this could result in patient deaths.
- It could affect scheduling patient appointments. Without being able to access records, surgeons and doctors are unable to carry out appointments or even life saving surgery.
- If medical professionals are locked out of internal systems, they may be forced to move to a paper-based system. This could result in appointments being cancelled for weeks.
- A really sophisticated and destructive cyber breach may destroy backups of patient data with no rollback possible.
- If the IT team built a completely flat network, this could allow malware to spread across the entire hospital in a matter of minutes. This could send all systems into complete shut down affecting operating theatres, A&E and patient record systems.
The real-life TV drama- The WannaCry Ransomware attack
This fictitious storyline may provide nail-biting drama for the viewers of the BBC one off special. However, this drama was the NHS’s reality back in May 2017 when WannaCry hit.
As we all know, this worldwide ransomware attack severely disrupted the NHS. Not only were 80 out of 236 NHS trusts attacked, a staggering 595 GP surgeries were also infected with the virus. The NHS was completely paralysed, systems were shut down, thousands of appointments were cancelled, and important patient records were unavailable.
To avoid a repeat of this hugely disruptive cyber breach, the NHS had to ensure they learnt from their mistakes. Last year the NHS published a document titled ‘Lessons learned review of the WannaCry Ransomware Cyber Attack’ which stated: ‘This disruption to patient care has made it even clearer how dependent the NHS is on information technology and, as a result, the need for security improvements to be made across the service.’
The NHS DSP toolkit
The NHS needed to make some big adjustments to ensure their systems and processes are robust and impenetrable. In April 2018, NHS Digital introduced the new Data Security and Protection Toolkit. The DSP toolkit aims to help healthcare organisations achieve an appropriate level of cyber security to ensure patient data is protected.
The Data Security and Protection Toolkit is an online self-assessment tool that allows NHS Trusts and healthcare organisations measure their cyber security processes against the National Data Guardian’s 10 data security standards.
The DSP Toolkit will apply to all healthcare organisations, this includes NHS trusts and their industry partners. To comply with the DSP framework, healthcare organisations need to demonstrate that they are putting the ten data security standards recommended by the National Data Guardian Review into practice. Head to our DSP Toolkit web page to find out more about these standards.
The deadline for submission is 31 March 2019.
How can Equilibrium help with DSP Toolkit compliance?
Data Security Standard 9 states: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. As part of this organisations must ensure their web applications are secure against top 10 vulnerabilities and undertake a penetration test annually.
Here at Equilibrium, we are one of the few Cyber Essentials certification bodies in the Midlands area. Equilibrium is a Certification Body under the accreditation body IASME. We can offer Cyber Essentials, Cyber Essentials Plus, IASME Governance and GDPR Readiness Assessments as a Certification Body.
Find out more about Cyber Essentials Plus
We are also CREST-accredited ethical penetration testers. This accreditation is what the DSP toolkit would call a ‘proven cyber security framework’ which can be used to protect your infrastructure from cyber threats. It also demonstrates that we have up to date knowledge of the latest vulnerabilities and techniques used by real attackers.
Find out more about our CREST Penetration Testing Service
Our Penetration Testing service is an excellent way to work towards achieving compliance for Standard 9 of the toolkit. The aim of a penetration test is to simulate a malicious hack on a network to evaluate the effectiveness of the security in place.
The deadline for achieving compliance is the 31st March 2019. If you would like to find out more about the ten standards and how we can help you achieve NHS DSP toolkit compliance, please click here to head to our web page.
Please give us a call on 0121 663 0055 or fill in the form below if you would like to chat to an expert in more detail!