In recent years, the scale and scope of cyberattacks has increased dramatically. So, too, has the complexity and dynamism of organisation’s IT infrastructures. Collectively, this means that businesses have had to shift their attitude towards information security from passive, to actively and continuously monitor the threat landscape.
The introduction of GDPR has placed new restrictions on organisations that suffer data loss. Such breaches must now be reported comprehensively and in a timely fashion; there is nowhere to hide for organisations that fall foul, whether by accident or due to malicious activities.
As we saw from the recent Morrisons breach – where the payroll data of around 100,000 employees was maliciously leaked, leading to the first data class action lawsuit in the UK – the fallout from such an incident can be hugely expensive in terms of compensation alone. There are also costs associated with simply repairing and bolstering the IT infrastructure, and managing the reputational impact following an attack. Non-compliance with GDPR also leaves organisations liable for fines of up to 20 million Euros, or 4% of annual global turnover, whichever is higher.
Implications for the NHS
All of this is concerning for private organisations, but more so for publicly-funded institutions like the NHS, which has a duty to protect taxpayers’ money.
The NHS is a rich target for cybercriminals. It handles huge volumes of extremely sensitive data and it can be a profitable target for ransomware attacks; demanding payment in return for unscrambling key systems. In 2017, the global WannaCry attack led to nearly 20,000 cancelled hospital appointments in the UK. The Department of Health and Social Care (DHSC) estimates the breach cost the NHS £92m in direct costs and lost output as a result of disruption to services. This doesn’t factor in the penalties that could have been levied by GDPR, or the class action lawsuits from patients that would surely follow.
The reason the NHS is considered a vulnerable target is because many parts of the NHS rely on older technologies and operating systems, which leaves them susceptible to attack. The organisation is so sprawling and complex – and driven by the need to be cost-effective – that it isn’t always possible to run the latest next-generation security tools, or integrate different moving parts in the most secure way.
What is more apparent is that the NHS would be simply unable to cope with enormous pay outs or fines in the aftermath of a serious incident – it is under enough cost pressures as it is. Could a severe cyberattack or data breach, then, be the end of the free National Health Service?
The solution: robust, automated risk assessment
The challenges we have discussed explain why it is so vital for healthcare organisations, especially the NHS, to undertake thorough risk assessments in relation to their cybersecurity posture. This means responding proactively to specific risks around the sensitive data transmitted, and the older, siloed technology that makes up its IT infrastructure.
Whether this goes so far as to completing ISO27001 or systematic, automated security checks, it’s important that there are robust protocols in place.
ISO 27001 is the gold standard for developing and measuring an effective cybersecurity framework, and enables organisation to develop, deploy and manage cybersecurity tools and processes that are tailored precisely to their own risk posture.
vsRisk from Vigilant enables organisations to produce consistent and reliable risk assessments year on year, and protect themselves from the potentially devastating impact of fines levied after a cyberattack.