Defend as One: UK Cyber Security Strategy for Health and Adult Social Care to 2030

The UK Department of Health & Social Care (DHSC) recently released their “Cyber Security Strategy for Health and Adult Social Care to 2030”, the latest cyber policy plan outlining the primary goals and objectives to achieve cybersecurity resilience and better health outcomes in the coming years. This… Read More

The UK Department of Health & Social Care (DHSC) recently released their “Cyber Security Strategy for Health and Adult Social Care to 2030”, the latest cyber policy plan outlining the primary goals and objectives to achieve cybersecurity resilience and better health outcomes in the coming years. This comes on the heels of the British government releasing their national Cyber Security Strategy for 2022-2030, which placed an emphasis on individual public sector organisations making a concerted effort to harden their cyber defenses.

As outlined in this post and illustrated through the strategy’s engagement of all levels of the health sector, the DHSC has made it clear that you’re only as strong as your weakest link. It is of paramount importance to establish this strength, and as discussed throughout the Strategy to 2030 and specifically in the CAF’s third objective below, healthcare organisations must ensure their capabilities effectively defend and detect cybersecurity events with the potential to affect essential functions.

Automated security control validation through breach and attack simulation (BAS) is a means for putting this vision into action. AttackIQ’s Security Optimization Platform is a leading BAS offering for the healthcare sector. Our platform supports the automation and operationalization of the MITRE ATT&CK framework, providing organisations with a powerful capability to continuously test, measure, and validate healthcare enterprise security programs. AttackIQ has delivered better security outcomes and real business value for British and American healthcare companies like Bupa and Prime Health, as well as many others.

The alignment to MITRE ATT&CK and automated testing makes sense given how the DHSC’s strategy leans on adopting the National Cyber Security Centre (NCSC)’s Cyber Assessment Framework (CAF). That framework outlines four objectives as the standard for success moving forward:

  1. Manage security risk, ensuring appropriate structures, policies, and processes are in place to manage risks to systems supporting essential functions
  2. Protect against cyberattack, ensuring proportionate measures are in place to protect systems supporting essential functions from cyber attack
  3. Detect cyber security events, ensuring capabilities effectively defend and detect cyber security events with the potential to affect essential functions
  4. Minimise the impact of cyber security incidents, ensuring capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions

Building off these objectives, the DHSC Strategy to 2030 puts forth its own pillars for cyber maturity and resilience in health and social care:

  1. Focus on the greatest harms and risks
  2. Defend as one
  3. People and culture
  4. Build security for the future
  5. Exemplary response and recovery

This isn’t the first cyber initiative the DHSC has proposed, but it may be the most ambitious. In the past year alone, the NHS (which falls under the DHSC) has released two cyber-related policy papers – “Data Saves Lives” and “A Plan for Digital Health and Social Care”. The Data Saves Lives strategy sets out “plans to harness digital efficiency and data to improve outcomes, while maintaining the highest standards of privacy and ethics and taking targeted action to build public trust around how we use data in the NHS”. Meanwhile, the Plan for Digital Health and Social Care puts forth “a vision and action plan to digitise health and care services and connect them to support integration, using this platform to transform, enabling fundamentally new care models”.

These plans serve as positive stepping-stones in helping to understand the role cybersecurity plays in garnering public trust in technology and digital services, but it’s clear that the latest strategy goes the furthest in putting cyber defense into practice. If anything, together these plans show the priority the DHSC has placed in shoring up their security infrastructure, following the lead the UK Government set forth through their national Cyber Security Strategy.

The DHSC releases a new strategy every 5 years, and this version is the most sophisticated and calculated to date. While the Government Cyber Security Strategy justifiably takes a broader, overarching approach applicable to all government sectors, these pillars reveal the DHSC’s focus on prioritizing risks specific to healthcare, and heavily stresses the importance of a unified, community-based approach to cybersecurity across the health system and promotion of public trust in digital services.

In recognition of the vast scope and variability of security needs, the DHSC aims to build resilience through collaborative engagement at all levels of the health sector, in part to avoid compounding risks in the event of an attack due to interdependencies between systems, while also distancing itself from “one size fits all” defenses. To put the wide range of needs into perspective, the plan states, “In secondary care, this technology includes diagnostic machines such as imaging scanners and systems that let hospitals know which beds are free, while in primary care this includes patient booking systems, call and recall facilities, and electronic prescription services. For adult social care organisations, it is technologies such as digital care records and acoustic monitoring systems that are enabling more responsive, joined-up care”.

A primary distinction between past plans and this one is the advancement the health sector has made in cyber threat intelligence, and this strategy details the challenges specific to the sector that must be the focus upon implementation:

  • High operational pressures
  • Large, complex and autonomous sector
  • Supply chain vulnerabilities
  • Unclear accountability and ability to influence
  • Limited cyber workforce
  • New digital, data and technology
  • Legacy technology

As well as the sector’s greatest threats:

  • Ransomware
  • Phishing and other malicious emails
  • Automated scanning for common software vulnerabilities
  • Attempted fraud

As UK healthcare organisations look to adopt the standards set forth in the DHSC’s strategy, it is once again worth noting the importance of continuous testing of security controls, personnel, and processes against the tactics and techniques in the MITRE ATT&CK framework. With AttackIQ, you can find performance gaps, strengthen your security posture, and improve your incident response capabilities, and the platform’s automation allows it to work automatically, at scale, and in production. AttackIQ assesses your cybersecurity readiness, validates that your enterprise security systems are performing as originally intended, and elevates the security performance of even the largest healthcare organizations.