PAGE 4 | THE CARER DIGITAL | ISSUE 72
The Social Care Sector Must Do More To Harden Cyber Security and Improve Digital Hygiene By Chris Cox, Chief Technology Officer, Quality Compliance Systems (QCS) In May 2019, the Institute of Public Care, which is part of Oxford Brookes University, published its annual ‘Adult Social Care Data and Cyber Security Programme’ report. The study devised a traffic light risk categorisation model, which rated care services on how fit and able they were to cope for 48 hours (if key systems did go down due to a cyber security issue). Of the 70 care services interviewed, the researchers placed two thirds of them in the green category, a quarter in amber and seven percent in red. However, this study - and the results that followed - were collated seven months before COVID-19 first surfaced. The COVID-19 pandemic has of course brought about profound and sweeping change to the social care sector. As a result, the narrow lens at which we once looked through to evaluate cyber security has changed forever. The pandemic was the catalyst for this remarkable sea change. It ruthlessly laid bare the fact that a largely paper-based sector was very much on the back foot when it came to the adoption of next generation technology systems. That prism, therefore, immediately widened as more services began to suddenly embrace video based platforms, state-of-the-art digital care planning systems and a host of SaaS platforms to improve a lack of digital efficiency and effectiveness.
Own Device (BYOD) home and lets their youngest child play on it? If their son or daughter is not supervised, it is not just the phone, but the care service too that is vulnerable to cyberattack. Just how common a problem this is, or could become, is unclear. That said, we do know that 60 percent of attacks are carried out by people working within an organisation, and that one quarter were conducted by “inadvertent actors”. If this statistic, which was first revealed in the 2016 Cyber Security Index, still holds water, then it could spell problems for a deeply fragmented sector which relies on a legion of many small providers that make up the sector.
THE CURRENT LEVEL OF CYBER THREAT
KNOWLEDGE THE MOST EFFECTIVE FORM OF ENCRYPTION
While, it's extremely difficult to accurately evaluate the current level of cyber security risk to the social care sector, research published by Digital Social Care and Skills for Care reveals that one in ten care providers experienced a cyberattack or data breach in the last year. As for the greatest cyber security risks the sector faces, as QCS’s Chief Technology Officer, l would say that three huge challenges persist. Ransomware, malicious software, which blocks access to a computer until a ransom is paid, phishing attacks, which trick care workers into sending sensitive information, and, malware, software, which destroys computer systems, are the three greatest cyber risks for care staff. However, it is perhaps a lack of holistic cyber security training which fails to join the dots when it comes to educating care staff on the unintended consequences of their actions. What do I mean? Well, cyber training might suitably equip staff with the knowledge and skills to spot a phishing, malware or ransomware attack, but according to joint research published by Digital Social Care and Skills for Care “43 percent of providers used a mixture of company devices and their own devices for work”. What happens, therefore, when a care worker hands their Bring Your
At QCS, we believe real-world knowledge training to be the most effective and inexpensive methods of encryption. Once staff have fully digested the QCS policies and other best practice content, such as the NHSX Toolkit, we continue awareness training by encouraging staff to watch a series of YouTube videos. They are extremely effective because the videos use real-life scenarios to educate staff on the importance of maintaining password hygiene, while revealing the tricks that hackers use, and then highlighting how the threat can be best countered. Video-based learning is then supplemented by a series of robust policies and procedures, which are constantly updated. But, to really neutralise the cyber threat, care services must also instil a culture of cyber hygiene in a care service. It starts from the top. Care managers should adopt the ‘defender’s dilemma’. This essentially means considering every possible vector of attack which hackers could exploit. However, with the pandemic opening the floodgates to the implementation of a myriad of different technologies, which are often interlinked, hackers only need to make good on one cyber vulnerability in the care service application infrastructure. Therefore, ensuring everyone has robust and up-to-date training is imperative.
CYBER SECURITY ARCHITECTURE THAT EVERY CARE PROVIDER SHOULD IMPLEMENT So, what technology and effective training courses can Registered Managers put in place to protect their organisations from attack? At QCS, the leading provider of content, guidance and standards for the social care sector, we advocate the use of Multi-Factor Authentication (MFA). This may sound complex, but anyone who does internet banking will be familiar with the process. It essentially asks users for two pieces of evidence to prove their identity. While I believe MFA is extremely effective, it should be a minimum requirement and be used in all its different forms - from the minute a person starts a job to when they leave their post. But, care services also need to implement Single Sign On (SSO) systems too. This leading-edge architecture enables users to access multiple application using a single username and password. If there is a cyberattack, the advantage of SSO is that it allows a data officer to close down every single system that every employee uses in one fell swoop. When you consider that staff use a patchwork quilt of systems, each one requiring a different password, the cost of not having SSO suddenly becomes evident. At best, data officers are given the herculean task of decommissioning each account manually. At worst, and especially if the care service is large, a non-SSO system could result in a malware or ransomware attack burrowing its way deeper into the system and in the worst case scenario, paralysing it
THE DSPT To harden IT infrastructure, I would recommend that every service complete the Data Security and Protection Toolkit (DSPT), which effectively demonstrates that providers are complying with ten data and security standards set by the National Data Guardian. The DSPT is an excellent resource because it really helps services to focus on their cyber security posture and digital hygiene responsibilities. However, the DSPT cannot be considered to be a panacea all on its own because it is a merely a self-certification tool. It relies on Registered Managers, who are experts in dispensing care, but not necessarily adept in cyber security, to possess a sufficient level of knowledge to complete the form. If they don’t have the requisite understanding, then there is a clear and present danger that some of the systemic underlying cyber security issues that affect the sector are not brought to the surface, which could be hugely damaging. To increase cyber security knowledge, therefore, I would encourage providers to utilise the Better Security, Better Care programme, which has been specifically designed to help care services work through and complete the DSPT.
THE ROLE OF THE CQC I think, therefore, to really ensure a secure operating environment for all, it needs the Care Quality Commission (CQC) to include cyber security and data hygiene as part of its assessment criteria. I am not alone in reaching this conclusion. In Oxford Brookes’ ‘2019 Adult Social Care Data and Cyber Security Programme’ report, one of its recommendations before the pandemic was “to explore how the DSPT toolkit could be incorporated as part of the evidence inspectors use to make assessments of social care providers”. While the CQC says that the “use and security of records and data” is covered in its current assessment framework, a blog post by David James, the Head of Adult Social Care Policy at the CQC, for Digital Social Care in June confirms that it is still not a CQC requirement for care services “to complete the (DSPT) toolkit in order to demonstrate compliance within CQC standards”. A CQC Spokesperson added, “We recognise that care providers' data and cyber security arrangements can help shape outcomes for people using services. We launched our new strategy earlier this year, and are currently updating our assessment framework. As part of this we are exploring how the Data Security and Protection Toolkit can be incorporated within the evidence we consider on inspections. It is anticipated that this work will be rolled out in stages early next year.” If the regulator were to take this single step, then I believe that the IT systems of individual providers, the local services that they draw upon and the supply chains that surround them would be much better insulated from cyberattack. Indeed, if the chain is only as strong as the weakest link, then reinforcing every individual node, makes good sense. With special thanks to Digital Social Care and Fiona Richardson, Programme Director for the Institute of Public Care. To find out more about the QCS or to purchase a subscription, please contact QCS’s team of advisors on 0333-405-3333 or email: sales@qcs.co.uk.
Residents at Hindhead Care Home Enjoy First Ride on New Trishaw Bike Residents at a Surrey care home have been able to enjoy their first trip out on a new trishaw bike – enjoying a sunlit sightseeing tour of the estate where the home is located thanks to the efforts of a cycling charity. Cycling Without Age, a volunteer-led scheme which uses ‘pilots’ to take older members of the community out cycling, has recently completed fundraising efforts for its Guildford chapter, which enabled it to purchase a brand new trishaw bike for use in the community. Last week, residents at the Huntington & Langham Estate in Hindhead, whose staff helped fundraise for the endeavour, were delighted to feel the rush of wind through their hair again and to enjoy the general thrill of being on a bike – which in this instance is similar to a rickshaw, but with the person pedalling sat behind the passengers. With a pilot from Cycling Without Age doing both the pedalling and steering, residents were able to sit back, relax and enjoy the tour taking in the sights of the estate, which includes a vibrant mixture of farm animals, greenery and wildlife thanks to its extensive grounds. The trishaw is now permanently established in the local community, providing residents of the estate with the opportunity to enjoy regular bike rides, courtesy of the scheme’s volunteer pilots. Charlie Hoare, Director of the Huntington & Langham Estate commented: “At the Huntington & Langham Estate we are always exploring ways to help our residents to
continue to experience and enjoy the things they love in life. We’re also huge advocates of the outdoors and we do all we can to connect our residents with outside. We’re blessed to have vast grounds at the estate, which provides a great deal of enjoyment for people who live here. Last year, I was astounded to learn we had the Barry - the original trailblazer of the acclaimed off-road cycling route in Surrey known as ‘Barry Knows Best’ – living with us at the home.” Charlie continued: “He’s a true pioneer of the Surrey mountain biking scene and a celebrated local mountain biker, who’s a prime example of a resident who would love to experience the sensation of a bike ride again – so we explored the options that would allow Barry to do so. That’s when we discovered Cycling Without Age; a charity which looks to facilitate just that. This brilliant scheme has also given us another resource to help our residents enjoy the beautiful outside space of the estate. ” Caroline commented: “We are so pleased we are able to contribute to the wellbeing of the residents by providing a different experience which further encourages enjoyment of the outdoors and certainly puts some smiles on everyone's faces, including ours!” Charlie Hoare added: “It’s a tremendous initiative and we’re delighted to get involved. We have a unique outdoor environment on the estate, including a variety of farm animals and other outdoor attractions. Being able to take residents on bike rides just serves to open up even more opportunity for those who live with us, as well as those in the wider community through the Cycling Without Age Scheme.”