In May 2019, the Institute of Public Care, which is part of Oxford Brookes University, published its annual ‘Adult Social Care Data and Cyber Security Programme’ report.
The study devised a traffic light risk categorisation model, which rated care services on how fit and able they were to cope for 48 hours (if key systems did go down due to a cyber security issue).
Of the 70 care services interviewed, the researchers placed two thirds of them in the green category, a quarter in amber and seven percent in red. However, this study – and the results that followed – were collated seven months before COVID-19 first surfaced. The COVID-19 pandemic has of course brought about profound and sweeping change to the social care sector. As a result, the narrow lens at which we once looked through to evaluate cyber security has changed forever.
The pandemic was the catalyst for this remarkable sea change. It ruthlessly laid bare the fact that a largely paper-based sector was very much on the back foot when it came to the adoption of next generation technology systems.
That prism, therefore, immediately widened as more services began to suddenly embrace video based platforms, state-of-the-art digital care planning systems and a host of SaaS platforms to improve a lack of digital efficiency and effectiveness.
The current level of cyber threat
While it’s extremely difficult to accurately evaluate the current level of cyber security risk to the social care sector, research published by Digital Social Care and Skills for Care reveals that one in ten care providers experienced a cyberattack or data breach in the last year.
As for the greatest cyber security risks the sector faces, as QCS’s Chief Technology Officer, l would say that three huge challenges persist. Ransomware, malicious software, which blocks access to a computer until a ransom is paid, phishing attacks, which trick care workers into sending sensitive information, and, malware, software, which destroys computer systems, are the three greatest cyber risks for care staff.
However, it is perhaps a lack of holistic cyber security training which fails to join the dots when it comes to educating care staff on the unintended consequences of their actions. What do I mean? Well, cyber training might suitably equip staff with the knowledge and skills to spot a phishing, malware or ransomware attack, but according to joint research published by Digital Social Care and Skills for Care “43 percent of providers used a mixture of company devices and their own devices for work”.
What happens, therefore, when a care worker hands their Bring Your Own Device (BYOD) home and lets their youngest child play on it? If their son or daughter is not supervised, it is not just the phone, but the care service too that is vulnerable to cyberattack. Just how common a problem this is, or could become, is unclear. That said, we do know that 60 percent of attacks are carried out by people working within an organisation, and that one quarter were conducted by “inadvertent actors”. If this statistic, which was first revealed in the 2016 Cyber Security Index, still holds water, then it could spell problems for a deeply fragmented sector which relies on a legion of many small providers that make up the sector.
Cyber security architecture that every care provider should implement
So, what technology and effective training courses can Registered Managers put in place to protect their organisations from attack? At QCS, the leading provider of content, guidance and standards for the social care sector, we advocate the use of Multi-Factor Authentication (MFA). This may sound complex, but anyone who does internet banking will be familiar with the process. It essentially asks users for two pieces of evidence to prove their identity.
While I believe MFA is extremely effective, it should be a minimum requirement and be used in all its different forms – from the minute a person starts a job to when they leave their post. But, care services also need to implement Single Sign On (SSO) systems too. This leading-edge architecture enables users to access multiple application using a single username and password. If there is a cyberattack, the advantage of SSO is that it allows a data officer to close down every single system that every employee uses in one fell swoop.
When you consider that staff use a patchwork quilt of systems, each one requiring a different password, the cost of not having SSO suddenly becomes evident. At best, data officers are given the herculean task of decommissioning each account manually. At worst, and especially if the care service is large, a non-SSO system could result in a malware or ransomware attack burrowing its way deeper into the system and in the worst case scenario, paralysing it.
Knowledge – the most effective form of encryption
At QCS, we believe real-world knowledge training to be the most effective and inexpensive methods of encryption. Once staff have fully digested the QCS policies and other best practice content, such as the NHSX Toolkit, we continue awareness training by encouraging staff to watch a series of YouTube videos. They are extremely effective because the videos use real-life scenarios to educate staff on the importance of maintaining password hygiene, while revealing the tricks that hackers use, and then highlighting how the threat can be best countered. Video-based learning is then supplemented by a series of robust policies and procedures, which are constantly updated.
But, to really neutralise the cyber threat, care services must also instil a culture of cyber hygiene in a care service. It starts from the top. Care managers should adopt the ‘defender’s dilemma’. This essentially means considering every possible vector of attack which hackers could exploit. However, with the pandemic opening the floodgates to the implementation of a myriad of different technologies, which are often interlinked, hackers only need to make good on one cyber vulnerability in the care service application infrastructure. Therefore, ensuring everyone has robust and up-to-date training is imperative.
To harden IT infrastructure, I would recommend that every service complete the Data Security and Protection Toolkit (DSPT), which effectively demonstrates that providers are complying with ten data and security standards set by the National Data Guardian. The DSPT is an excellent resource because it really helps services to focus on their cyber security posture and digital hygiene responsibilities.
However, the DSPT cannot be considered to be a panacea all on its own because it is a merely a self-certification tool. It relies on Registered Managers, who are experts in dispensing care, but not necessarily adept in cyber security, to possess a sufficient level of knowledge to complete the form. If they don’t have the requisite understanding, then there is a clear and present danger that some of the systemic underlying cyber security issues that affect the sector are not brought to the surface, which could be hugely damaging. To increase cyber security knowledge, therefore, I would encourage providers to utilise the Better Security, Better Care programme, which has been specifically designed to help care services work through and complete the DSPT.
The role of the CQC
I think, therefore, to really ensure a secure operating environment for all, it needs the Care Quality Commission (CQC) to include cyber security and data hygiene as part of its assessment criteria. I am not alone in reaching this conclusion. In Oxford Brookes’ ‘2019 Adult Social Care Data and Cyber Security Programme’ report, one of its recommendations before the pandemic was “to explore how the DSPT toolkit could be incorporated as part of the evidence inspectors use to make assessments of social care providers”.
While the CQC says that the “use and security of records and data” is covered in its current assessment framework, a blog post by David James, the Head of Adult Social Care Policy at the CQC, for Digital Social Care in June confirms that it is still not a CQC requirement for care services “to complete the (DSPT) toolkit in order to demonstrate compliance within CQC standards”.
A CQC Spokesperson added, “We recognise that care providers’ data and cyber security arrangements can help shape outcomes for people using services. We launched our new strategy earlier this year, and are currently updating our assessment framework. As part of this we are exploring how the Data Security and Protection Toolkit can be incorporated within the evidence we consider on inspections. It is anticipated that this work will be rolled out in stages early next year.”
If the regulator were to take this single step, then I believe that the IT systems of individual providers, the local services that they draw upon and the supply chains that surround them would be much better insulated from cyberattack. Indeed, if the chain is only as strong as the weakest link, then reinforcing every individual node, makes good sense.
With special thanks to Digital Social Care and Fiona Richardson, Programme Director for the Institute of Public Care.
The article was first published in the The Carer – Issue 72