Expanding the concept of Secure by Design for health and social care

on this page

Sophia Kladaki, Lewis Hodges, and Isobel Drever look at how health and social care organisations can become more cyber resilient by adopting a Secure by Design approach.

Cyber-attacks are on the rise, with the National Fraud Intelligence Bureau reporting that cybercrime during the COVID-19 pandemic cost UK businesses £2.4billion. With the pandemic demonstrating how reliant we are on our health and social care system, ensuring that its vast digital infrastructure is cyber secure is essential to maintaining high-quality services and protecting patient data.


The cyber threat continues to evolve, meaning information systems which were once deemed secure may not be resilient to future attacks. Devices or networks once considered business critical may become less so as new digital solutions are introduced. A Secure by Design approach, which builds and embeds security into systems from the outset, enables organisations to implement a proportionate and risk-based approach which manages security information throughout its entire lifecycle.

Secure by Design – assurance throughout the lifetime of an asset or capability

In 2018 the UK Government published its Secure by Design report and used the term to describe how security controls can and should be embedded into products and services during the design phase. This is sound guidance, but perhaps fails to consider ever-changing environments and threats. Instead, organisations can adopt a broader concept of Secure by Design, one which supports continual risk assessments of assets and capabilities. This approach considers how security threats evolve over time and can make allowances for this in the business case. This broader Secure by Design approach would also better utilise the technical expertise within an organisation, by involving subject matter experts more regularly throughout the risk management process.

At first glance, this might seem like a costly endeavour, but routine risk assessments can improve investment decisions. For example, an NHS Trust might have a long-standing subscription for expensive end-point protection on its computer network – a measure deemed essential for delivering patient care. However, over time, this network may become less critical due to the increased availability of viable alternatives. By reassessing the risk, the system owner can make an informed decision about whether to continue the subscription, make a technical change or decommission the network altogether.

Creating a Secure by Design environment

To implement this approach, there are three key elements that should be considered: a cultural shift towards risk-based decision making, the governance and business processes which enable the approach, and cultivating a digital mindset.

A cultural shift to risk-based decision making: The Secure by Design approach asks system owners to make pragmatic security decisions over the lifetime of an asset, by choosing security measures based on the perceived threat and impact of an attack. This approach doesn’t just ask the system owner to think differently, it also asks the organisation to embrace new ways of working which are characterised by trust and a willingness to deviate from the security checklist when justified. It may feel counterintuitive to abandon the rule book, but if said rules were written five years ago, they may no longer offer the greatest protection. To be proportional, decisions need to be risk based rather than rules based.

Governance and business processes: We recognise the importance of governance and business processes, particularly when patient data and the protection of health may be stake. They play a key role in the Secure by Design approach, but rather than being overly prescriptive, they are used to set safe parameters. They provide a framework for managing security within complex organisations like the NHS, while providing the latitude for effective decision making. Clear governance also has a key role in establishing accountability for through-life security risk management.

Digital mindset: Finally, it would be easy to misinterpret a digital mindset as one which requires a substantial amount of technical understanding. However, in this case, we are referring to a more general awareness within the workforce of the digital ecosystem, including its benefits and its risks. This expands beyond an isolated product or a service. It includes all those who interact with the capability, from the supplier who provided the microchip to the patient wearing the device.

The new Integrated Care Systems (ICSs) and Integrated Care Boards (ICBs) provide a window of opportunity to reassess the risk management approach across the health and social care sector. As regions transform to embrace this new construct, now is the right time for policymakers and healthcare leaders to ensure a Secure by Design approach is advocated to protect both staff and patients alike.

Previously published in Politics Home.

 
DISCLAIMER

Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.

AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.

BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.

Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.

The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.

The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.



Downloads

Trade releases