The last few years have seen a rise in cyberattacks on the healthcare sector. In 2017, ransomware WannaCry impacted at least 80 NHS trusts in the UK and, globally, around 200,000 machines in over 100 countries. The attack cost the UK £92million. More recently, the National Cyber Security Centre (NCSC) reported that it prevented a total of 723 incidents to the UK health sector between September 2019 and August 2020, a 10% increase on the previous year. Medical devices are also becoming more commonly targeted in cyberattacks, either as the end target or a gateway to an organisation’s wider network.
Now more than ever, having a considered approach to information security is crucial. In this blog, we discuss how achieving ISO 27001 certification can help improve healthcare cybersecurity.
What is ISO 27001?
ISO/IEC 27001 is a globally-recognised standard for managing risks to your information security. The ISO 27001 framework helps organisations build and maintain a comprehensive information security management system (ISMS), identifying potential risks and planning actions to mitigate them accordingly.
How can ISO 27001 certification improve healthcare cybersecurity?
Clear policies and procedures
Historically, the responsibility for information security within a business often fell to one person, such as a CIO or someone within their team. Over recent years, it has become more and more important that everyone in an organisation fully understands and accepts their role in protecting organisational data.
When built in accordance with ISO 27001, an ISMS should include policies and procedures such as your business’s clear desk policy, password policy etc. These required policies for ISO 27001 certification ensure that everyone in the company knows their role in protecting information and reducing risk, rather than this responsibility largely falling to one person.
Investing in ISO 27001 certification can improve your organisation’s reputation. The standard isn’t a self-certification process; success relies on external auditing and businesses must undergo recertification annually. Full certification must be achieved again after three years, so customers and prospective customers can be assured that your ISMS is consistently updated, assets are accounted for and risk assessments are regularly reviewed.
Additionally, many industries now have stringent regulations in place for suppliers and partners. Having ISO 27001 certification will prove that you take information security – and healthcare cybersecurity – seriously, ensuring your organisation is considered for tenders or partnership opportunities.
Supply chain protection
In line with ISO 27001 control A.15, supplier relationships, you’ll need to agree information security requirements to mitigate the risk associated with each supplier’s access to your organisation’s assets. Your supplier agreements should have data protection elements integrated into them, including incident management, legal regulations, staff screening and more.
By implementing controls to monitor and audit your supplier service delivery regularly, you can reduce risk to your organisation and strengthen your overall supply chain.
A key part of the ISO 27001 certification process is defining your assets. This means you can review each asset and any associated risks, followed by a thorough risk assessment and a risk treatment plan. Having this risk management process in place enables you to mitigate the impact to your organisation should a risk scenario occur.
For example, malware and ransomware from threat actors could be considered a risk to medical devices that are connected to the internet. To alleviate this risk, you can apply detection, prevention and recovery controls to protect against malware. In addition, you should combine this with user awareness training, and establish and implement rules regulating the installation of software by users, which would reduce the residual risk score to ‘tolerable’.
Improving healthcare cybersecurity
In the current landscape, it’s crucial to take steps to improve your organisation’s cybersecurity and mitigate any identified risks. The elements of ISO 27001 mentioned in this blog will help you to protect your data, as well as that of your patients and suppliers. Implementing the full ISO 27001 framework and achieving certification offers significant additional benefits – such as improving your organisation’s reputation and bolstering your supply chain.
Looking for a platform to automate your ISO 27001 framework and achieve certification quickly and easily? Book your Hicomply demo today.
In addition, if you are based in the UK and want to adopt the NHS Data Security and Protection Toolkit (DSPT), we can also support you.