Covid-busy NHS postpones cyber-security audit

News by Chandu Gopalakrishnan

The annual data security audit of NHS organisations, due this month, has been postponed to the end of September

There will be a six-month delay in the crucial cyber-security resilience checks at NHS Trusts, because resources are diverted to handling the coronavirus outbreak, reported healthcare journal HSJ.

Organisations under NHS have to submit their annual “data security and protection toolkit” (DSPT) to government regulators this month, which assesses their respective levels of cyber-security. The deadline has been extended to the end of September, the report said, citing the NHSX briefing.

NHSX is a joint unit launched last month to oversee the digital transformation and cyber-security of NHS services across the nation. The decision comes when NHS Digital is also managing online assistance for Covid-19 related services.

The decision is not surprising, KnowBe4 security awareness advocate Javvad Malik told SC Media UK.

"The coronavirus pandemic is unprecedented and has taken priority over all other issues. So, it is not surprising that the NHS has put all other projects on hold while they try to address the demands being placed on it.” 

NHSX is in charge of assessing and issuing online isolation notices for suspected patients. NHS Digital is working on collecting and analysing data as part of measures to counter the spread of coronavirus. They are also in the process of developing a contact tracking app to monitor the spread of coronavirus.

However, this does not mean that the NHS has totally avoided all cyber-security related activities. They were in the process of phasing out legacy systems when the six-month delay was announced.

Healthcare authorities including the US Health and Human Services (HHS) Department faced cyber-attacks after the pandemic scare swept the world. WHO was a particularly favourite lure for phishing campaigns.

The sector has always been a lucrative target, owing to the rich user data and security lags that comes with facilitating useability, noted Anna Russell, EMEA VP at comforte AG.

“The NHS must surely have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach. That way, they could pro-actively protect their data against breaches and the numerous phishing scams that are flooding their way, instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber-incidents," she told SC Media UK.

“One of the best steps organisations like the NHS should consider is reducing their attack surface. That is to turn off all non-essential services while focus is being diverted towards combating the coronavirus,” said Malik. 

“Additionally, staff and patients should be reminded on a continual basis that scammers continue to operate and that any information regarding health services or government notifications will come through official channels only."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews