Comment / Covid-19 and cyber security

Covid-19 has had a huge impact on global healthcare systems. The NHS and wider health sector are under enormous pressures and focused on maintaining the delivery of patient care despite significant challenges. IT plays a key enabling role in the delivery of these services, and this IT must be secure and resilient.

2017’s WannaCry ransomware outbreak starkly demonstrated the impact that a cyber attack could have on healthcare. The incident affected at least 80 out of 236 trusts across England, with over 19,000 appointments cancelled, 1,220 pieces of diagnostic equipment infected, and a £92m price-tag. The impacts of a cyber attack in the current situation could easily be far greater.

Guarding against new and emerging cyber threats is not solely down to cyber security teams. Finance leaders and non-executive directors (NEDs) also have a key role to play.

Increase in cyber risk

A cyber attack is arguably more likely right now: many organisations’ responses to the outbreak might have unwittingly or unknowingly increased their vulnerability, and attackers are circling. PwC believes there are three key cyber security issues to be aware of at this time:

1. A rapid shift to remote working introduces new cyber risks. New technology rapidly stood up to support remote working may not have been tested as rigorously as normal and have introduced security vulnerabilities. Furthermore, existing processes may no longer be effective with a remote workforce.
2. Disruption to the workforce and suppliers caused by Covid-19 increases old cyber risks. Security functions (including that of third-party suppliers) may be less effective than usual, as absence rates increase or staff are repurposed elsewhere. In addition, the wider workforce may be more vulnerable to attacks as their attention is focused on their health, and that of family and friends.
3. Attackers are already taking advantage of the situation. We’ve seen a range of attackers taking advantage of increased vulnerabilities. This includes state-backed hacking groups seeking to steal intellectual property and criminal groups seeking to conduct fraud or hold organisations to ransom.

In response to these challenges, PwC recommends that organisations should take three key actions to strengthen their cyber security defences.

First, ensure newly implemented remote working practices are secure. Ensure the systems the organisation relies on for remote working have the latest security updates, are configured securely (ie have appropriate settings and software applied to ensure security), and are resilient to support increased usage. Identify where staff are using unapproved tools (for example for file sharing, communication or collaboration) and move towards approved solutions. And ensure that existing security controls still protect new ways of working.

Second, ensure the continuity of critical cyber security functions. Identify the organisation’s critical cyber security activities (including system and software updates, management of privileged and administrator access, and incident response), ensure they can continue to function, and implement monitoring to confirm this is the case. Where normal processes cannot be followed or cease to function, consider mitigating the risk through steps such as IT change freezes.

Finally, seek to counter opportunistic cyber threats that may be looking to take advantage of the situation. Gain an understanding of emerging cyber threats and adapt to them. This should include the increased risk of phishing, insider threat, and payment fraud. Consider targeted security communications to increase staff awareness and deploying quick win controls to improve technical defences.

Cyber priorities for finance leaders

Finance leaders and non-executive directors (NEDs) have a key role to play in cyber security, both in terms of ensuring appropriate investment given the operational context and threat landscape, and holding security teams accountable for effective and efficient delivery. Healthcare finance leaders and NEDs should consider asking information officers the following three questions:

1. What’s the cyber risk? What are the biggest cyber security risks facing the organisation now, and what are the potential financial impacts of these (for example, increased resource requirement, professional services costs, regulatory fines or loss due to fraud)?
2. How could cyber risk influence finance? How should cyber security risks guide investment now and in the medium to long-term?
3. How could finance impact cyber risk? What potential cost cutting measures could put cyber security at risk (for example furloughing key staff, hiring freezes and redundancies, exiting third-party contracts, or programme delays)?

For more information on the impact of COVID-19 on cyber security and practical steps organisations can take, see PwC’s whitepaper – Managing the impact of Covid-19 on cyber security – or see guidance from the National Cyber Security Centre, including five key questions for any board to ask their information and security officers.