Over half of health and social care businesses hit by cyber attacks

Social care environments, including care homes, domiciliary care providers, hospices and supported-living locations, are finding themselves increasingly susceptible to cyberattacks.

Cyber criminals are constantly on the lookout for the easiest targets, and they see health and social care as vulnerable, due to the amount of personal data being used and stored.

In fact, healthcare has been named the third most frequently targeted sector[1], with over half of health and social care businesses hit by cyber attacks[2].

With the care sector being financially stretched, finding money for installing the latest technological upgrades, to help avoid cyber-attacks, is not easy.

As a result, many social care businesses find themselves operating with only modest cybersecurity budgets, limited IT support and outdated systems.

But there’s still a lot that can be done to stay ahead of cybercrime and mitigate risk.

Understanding the threat

Many health and social care providers are entrusted with sensitive patient or resident data, which makes them a prime target for cyber gangs seeking to steal this information for financial gain.

Sharing this kind of data with other professionals and businesses in the sector via common online channels and platforms significantly expands the threat landscape, therefore, this is an area where action can be taken to prevent attacks.

Poorly protected networks can serve as gateways for cybercriminals to infiltrate health and social care organisations, even government entities, placing social care establishments at risk of cyber claims.

Cyber incidents typically lead to financial losses, business interruption, or damage to reputation; and the consequences in the health and social care domain may extend far beyond. For instance, identity theft may occur when attackers gain access to critical information such as National Insurance numbers which can lead to a privacy liability claim from the individual(s)

Another scenario in August 2023, saw revenue across Caremark’s franchise network dip   after half its franchisees were impacted by cyberattack to a rostering system’[3] The problem took five months to remedy.

What can businesses in this sector do to protect themselves?

Reducing human error

Human error, frequently an overlooked issue, is often the biggest problem, not the tech, when it comes to exposing organisations and clients to cyber-related harms. For example, in a distracted moment, mistakes, such as clicking on a phishing link or sending confidential information to the wrong person, can happen.

Sometimes it can seem easier to stick with a familiar password rather than memorising something more robust, or to wait until a less-busy period to action software updates.

Therefore, it’s within all our powers to be more aware of cyber risks. For team leaders, making sure people understand the gravity of skimming over these essential steps will go a long way to bolstering protection.

Education and protocols

Education still remains one of the best defences for combatting cybercrime, as does understanding the potential weaknesses. It’s also important to put organisational protocols in place. These issues must be dealt with at governance level, as the operational, financial and reputational consequences of a cyber incident may be detrimental for the survival of a health and social care organisation.

Examples of good protocol include:

• Implementing multi-factor authentication (MFA) for remote access
• Establishing privileged access management (PAM) and meticulous permission control throughout the IT infrastructure
• Employing reliable antivirus software
• Maintaining secure offline backups
• Enabling remote desktop protocol access from external networks securely
• Adhering to rigorous software update and patching procedures
• Conducting comprehensive employee awareness training
• Utilising password management software
• Conducting annual penetration testing
• Ensuring an Incident Response Plan is created and those in the organisation are aware of the processes following an incident

October 2023 is Cybersecurity Awareness Month, with businesses all over the world encouraged to help employees take cybercrime seriously – and not just the IT team. So, it’s a good time to look out for tips and advice.

Our Cyber Insurance Report 2023 outlined the size of the risk but also the value of increased risk mitigation, cyber awareness and cyber insurance.

Businesses in all regions continue to rank cyber as one of their most pre-eminent risks according to the report – with business interruption one of the more dominant exposures.

The latest version of the report, also indicates that ransomware activity is up by nearly 50% in 2023 in comparison to 2022.

What’s more, average ransom payments in early 2023 were close to double those paid in 2022.[4]

The value of cyber insurance

As a result of the increased threat, more health and social care organisations are coming to realise that a stand-alone cyber insurance policy should no longer be regarded as a discretionary spend.

Today, such a policy is essential for businesses to mitigate associated financial, legal and reputational risks, having additional coverage outside of the traditional standard business insurance suite is a prudent and responsible risk management strategy.

If you’d like to talk through your cybersecurity options, you can speak to an expert at Howden by calling 0117 205 1850 or emailing [email protected].