Cybercrime is the fastest growing crime in the world. We’ve put together some information to help hospice senior leaders and trustees understand and mitigate the risks.
In 2023, 24% of charities recalled having a cyber security breach or attack in the last 12 months. For charities with £500,000 or more of annual income, this figure increased to 56% [1].
Breaches of cyber security can carry several risks for hospices:
Loss of sensitive patient data
Loss of referrals
Loss of money (including potential ransom)
Loss of employee data
Operational downtime
Being the subject of action from regulators
Reputational risk.
Hospice leaders do not need to be experts on cyber security, but they do need to understand the potential problems and take appropriate steps to protect their systems.
Key responsibilities for trustees are:
Understanding the risks and potential impact of a cyber attack
Taking steps to control risk and putting appropriate measures in place
Make sure there are enough resources available to protect your hospice from a cyber attack, and that they are being used appropriately.
Identifying risks
Text
Make sure cyber security is discussed at senior leadership and trustee meetings. It should be included on your risk register.
Potential threats to consider include:
Hacking is when somebody gains unauthorised access to an account or computer system. It isn’t always malicious, but is often associated with illegal activity and/or data theft.
Malware is any type of malicious software that is designed to harm computer systems.
Phishing is a scam, where attackers imitate a website or a person to deceive victims into sharing personal data or sending money. Sometimes this might include tricking someone into downloading malware. Most attacks start with phishing emails, and these are becoming more sophisticated using Artificial Intelligence to improve grammar.
Ransomware is a type of malware that blocks your access to data or encrypts it unless you pay a ransom to get it back. Attackers might also threaten to leak data unless you pay them.
Scammers are now able to use Artificial Intelligence to imitate a person, including their voice and appearance. This means they can make a call posing as someone else, to trick people into sharing sensitive data or sending money.
Prevention
Text
There are several steps you can take to protect your IT systems and mitigate the risk of a cyber security breach. These include:
Make sure all your essential data and systems are regularly backed up. All back up data should be stored securely and in a remote location.
Keep up-to-date with and follow best practice for cyber security. Consider becoming certified by an organisation like Cyber Essentials.
There are a range of systems that can identify and alert you to any unusual or malicious activity in your network. This might include people accessing files they do not normally use, files being changed or removed unexpectedly, or data being downloaded or changed without authorisation. Test your security systems regularly.
A firewall creates a barrier between your hospice’s network and the rest of the internet. It monitors and controls the traffic going to and from the network.
Make sure you are only processing and storing the data that you need. If it is no longer necessary to keep data, make sure it is archived or deleted following secure processes.
Multi-factor authentication (MFA) helps protect sensitive data by asking someone to prove their identity using more than one method. This is more difficult for hackers to replicate than using a password.
Make sure that any third party providers you use have robust security measures for any data you share with them. If they need to have access to your network, make sure they are doing so securely. Ensure that they are meeting industry standards and have relevant accreditation from a body such as Cyber Essentials.
All staff and volunteers need to understand the basic principles of cyber security and follow your security processes. If you are using tools such as MFA, you need to make sure everyone is able to use them. You could use ‘test scenarios’ to help make sure your staff are prepared to recognise and respond to threats.
The National Cyber Security Centre provides a free tool called Exercise in a Box, which allows you to test and practice your response to a range of cyber attacks.
Scan your systems regularly for any vulnerabilities. Make sure you are using the current version of software.
Managing incidents
Text
Your hospice should have a recovery plan that you can follow in the event of a cyber attack.
This should include information about:
Who takes the lead on responding to cyber attacks (and who is their deputy if needed?)
How to access and use back up systems and data
Who you need to tell about the incident (for example key partners, suppliers, patients)
Any wider communications needed to minimise reputational damage
Contact details and policy numbers for your cyber insurance (if you have it).
After an incident, review your systems to see where improvements are needed. You should record all cyber security incidents and review your log regularly, to help identify any patterns.
