Cyber security is a critical business risk for the NHS, warns Barclays CSO
Tue 20 Jun 2017
Cyber security is a business risk and must be the responsibility of the person at the top of any organisation, says Christopher Greany, Head of Group Investigations at Barclays Chief Security Office.
Speaking about the recent cyber attack on the NHS when ransomware led to cancelled operations and diverted ambulances, he warns: ‘If the Chief Executive doesn’t understand the business risk of not having a good cyber security strategy that protects patients and the operating system of the business, it’s a business failure. For the NHS, cyber security is a critical business risk because the business of the NHS is keeping people alive and keeping them safe.’
Before joining Barclays, Greany had a policing career spanning over 30 years. He says the problem with cyber-attacks is that people in organisations are often complacent because this is not a visible physical threat. After a cyber-attack, the crime scene is not a visible one so once the threat is over people’s memories are not reinforced by how serious it was.
In the recent cyber-attack, no patient data was stolen but Greany predicts that it will be only a matter of time before this occurs. Two massive data breaches last year of the software company Sage and TalkTalk which compromised the personal information of thousands of employees and customers and should serve as a warning.
‘All data is valuable – names, addresses, dates of birth etc. Health data is about the wellbeing of citizens and will have a value somewhere. Terrorists, for example, could be interested in data about the current health of the nation or fraudsters could target people who are seriously ill by trying to sell them fake medicine. Criminals use information about people to trick them into parting with their money,’ he says.
Cybercriminals are finding new ways to breach the cyber defences of organisations all the time. ‘You can’t protect absolutely everything but you must try and protect what’s important,’ he says.
NHS organisations need to work out how to keep their data safe – how they encrypt and store it and there has to be major investment in IT.
‘An effective cyber strategy has to be about prevention because once the symptoms appear it is too late. This means you must understand what data you hold, you must make sure you have invested in your IT and that your systems are up-to-date and patched.
‘If you do all that you won’t be able to stop World War III but you will be able to look yourself in the mirror and say I did all I could,’ he says.
Christopher Greany will be giving a talk at the Digital Healthcare Show on 28th June at 12:00-12:30.
Register here for your complimentary pass.