Just keep patching

Coronavirus: NHS delays security audit amid Covid-19 crisis

The UK’s National Health Service (NHS) has delayed the submission of its annual security audit in order to ease the strain caused by the global coronavirus outbreak.

NHS trusts, which include hospitals, clinics, and doctors’ surgeries, will now have until the end of September to file their Data Security and Protection Toolkits (DSPT), used to assess an individual healthcare organization’s current cybersecurity posture.

The announcement was made last week when NHSX, a policy-setting organization that’s driving the digital transformation of the UK’s national healthcare provider, said it would be difficult for healthcare bodies to “fully complete the toolkit without impacting on their Covid-19 response”.

According to a statement published on NHS Digital website, many organizations should be close to completing their cybersecurity assessments, which were originally due to be filed by the end of March.

Cyber health check

Launched in 2018, the DSPT is an online self-assessment tool that replaces the previous NHS data security assessment mechanism.

A 2018 report by the Public Accounts Committee, produced in response to the devastation caused to more than a third of NHS trusts during the 2017 WannaCry ransomware attack, and before the launch of the new DSPT, demonstrated that 200 NHS affiliates had failed on-site security audits.

Now, if an NHS provider is connected to a national system, they are required to demonstrate the achievement of mandatory data security standards through a completed DSPT assessment each year.

The aim of this process is to ensure information security compliance across the UK’s healthcare sector and a reduction in the likelihood of cyber-attacks or sensitive data being accessed by an unauthorized third party.

The DSPT assessment adheres to the UK’s Cyber Essentials scheme, a government-led certification assurance program designed to protect organizations against digital threats.

UK hospitals are feeling the strain of the coronavirus crisisUK hospitals are feeling the strain of the coronavirus crisis

High alert

The DSPT can undeniably improve a healthcare organization’s cyber hygiene. As of June 2019, 27,000 British businesses had made use of the scheme and protected themselves from the most common online threats.

Although the recent announcement from NHSX gives healthcare affiliates until September 30 to submit their assessments, the news came with a warning that all companies should remain on high alert.

“Whilst the DSPT submission deadline is being relaxed to account for Covid-19, the cybersecurity risk remains high,” NHSX said in its statement, published on March 16.

“All organizations must continue to maintain their patching regimes,” it added.

“Trusts, CSUs [Commissioning Support Units] and CCGs [Clinical Commissioning Groups] must continue to comply with the strict 48hr and 14 day requirements in relation to acknowledgment of, and mitigation for, any High Severity Alerts issued by NHS Digital (allowing for frontline service continuity).”

Cybercrime opportunists

The six-month hold on DSPT submissions follows comments made by Sarah Wilkinson, chief executive of NHS Digital, warning of cybercriminal “opportunism” in wake of the pressure put on the nation’s health service during the ongoing Covid-19 pandemic, Health Service Journal reports.

Cybercriminals have increasingly been leveraging concerns over the recent global panic, enticing internet users with free health advice, including last week’s phishing campaign impersonating the World Health Organization.

An NHS Digital spokesperson told The Daily Swig: “The Data Security Centre continues to work hard and effectively to obtain threat intelligence to identify and proactively block threats before they reach the system.

“Along with other proactive activities we are advising organizations to remain vigilant to any suspicious emails from people they do not know, to follow our guidance on reporting them, and to ensure virus definitions are updated and security vulnerabilities are patched.”

The risk of exploitation and breach in cybersecurity defenses – whether by a monitor left open or link clicked due to employee exhaustion – remains a growing NHS health and safety issue that may soon reach a boiling point, despite the years-long effort to “aggressively” reform one of the world’s most recognized healthcare systems.

To help prevent an already concerning health disaster from getting any worse, security firms including Kaspersky and Bitdefender have made some of their products and services freely available for NHS use amid the Covid-19 pandemic.

Microsoft is also providing its Microsoft Teams collaboration tool for free to NHS staff members in order to secure communication between workers, both on and off the frontline of the global health crisis.

YOU MIGHT ALSO LIKE Healthcare data breach: Medical device manufacturer discloses phishing attack