Kabir Ahmed, Commercial Manager at Wesleyan Financial Services, discusses the cyber security concerns every practice should plan for.
GP surgeries are no strangers to managing and adapting to meet their patient needs. The duty of care to those they serve is paramount.
But keeping pace with the latest in practice systems and technologies can often take lower priority.
With the rise of more sophisticated cyber-attacks, and the unknown implications of AI on the industry, failure to keep up when it comes to technology and cyber security exposes a significant risk. At best, a surgery is lucky and doesn’t face any threats, but in the worst case, it could be exposed to serious data breaches, long-lasting reputational damage and loss of patients and contracts.
Systems and software
Most GP surgeries operating through the NHS will have a contract that sets out services they must provide. This will usually include maintaining records and having the right technology and systems in place to run the practice.
As a minimum, each surgery typically has a website, a patient contact form, telephone lines, an appointment book, a mobile app, and patient login systems.
That’s just the public facing side. Behind the scenes there is software to manage payroll, systems to help with management finances and HR, and tools to keep track of day-to-day practice running costs. The amount of software required is huge, and will hold hundreds of thousands of pieces of data. With almost every aspect of this maintained online and essential in running a practice, it leaves GP practices exposed to fraud and cybercrime.
A two-fold threat
Cyber criminals aren’t ethical in their targeting, and attacking GP surgeries can be lucrative. For practices, this threat usually falls into one of two categories.
The first one relates to patients. Breaking into patient records and accessing information, particularly sensitive data, can be hugely damaging for a surgery, but sadly, profitable for a cyber-criminal.
The second threat relates to the practice and its staff. There is the chance that the technology used to support the running of the practice such as appointment booking systems, or HR software for confidential staff information, can be compromised.
Not only does this pose a threat to the day-to-day operation of the business, but it can also cause considerable anguish to the colleagues that may be victims to subsequent crimes.
Three steps to a more secure system
When it comes to enhancing security, the first step is looking at cyber defence. Practice managers and owners should make colleagues aware of the potential threats and challenges.
This could be as simple as not digitally recording patient information outside of official systems, or making sure everyone is adhering to best practices around updating passwords and alerted to suspicious email traffic. It can also be worth factoring in physical security too, such as keycards. Assigning responsibility to someone who will do regular security checks and share reminders with the team can be useful.
The second step is around managing your risk. Monitoring and logging incidents and near-misses may help to identify patterns or expose wider concerns that warrant a closer look. Each breach should be properly investigated to avoid it happening again. Defending what you’ve got, and having a robust plan in place to deal with it should a breach occur is essential. These plans should include clear actions to keep the practice running smoothly, plans to manage patients and an external and internal communications plan.
The third step is around understanding what support you have in place and what extra backup you might need.
While some contracts with providers might cover you for cyber-attacks, others might not. Similarly, your contract with the NHS may cover any NHS-related data stored on NHS systems, but may not extend to the same data being used on other platforms. Take the time to understand what your obligations are in protecting the data you use and if you’re exposed speak to an insurance expert. There are also cyber security insurances available that can help provide another layer of support and advice should an attack happen.
Taking stock of vulnerabilities and putting cyber security back at the top of the agenda is critical for all GPs. Those that need extra help should speak to an expert who can help them protect their patients and their practice.