A leading cyber expert at the NHS has set out his top security tips for health and social care workers ahead of Cyber Security Awareness Month.
Mike Fell joined NHS Digital in April 2022 as the organisation’s new Executive Director of National Cyber Security Operations – having previously worked in senior security roles at HM Revenue and Customs (HMRC) and the Foreign and Commonwealth Office.
Mike said: “From email and social media to online banking and shopping, it has never been so crucial to take vital cyber security steps to prevent criminals getting hold of data, devices and accounts.
“Here in the NHS, getting cyber security wrong has the potential to cause significant impacts across the health and care system.
“If a GP can’t access their system, they may not be able to share life-saving prescriptions with pharmacies or critical information with hospitals. Similarly, cyber attacks can cause cancelled appointments and surgeries, possibly resulting in care diversion to other hospitals.
“Cyber security is as important as health and safety, and in just the same way it’s the responsibility of every person in the NHS to understand security risks and what they can do to reduce them. Fortunately there are a few simple steps we can all take to ensure we stay cyber resilient at home and work.”
Here are Mike’s top tips:
- Use a strong password: The longer and more complex your password, the more difficult it is to crack. Passwords should be easy to remember, but difficult for someone else to guess. The National Cyber Security Centre (NCSC) suggests you: “make sure that somebody who knows you well could not guess your password in 20 attempts”. NSCS also recommends combining three random words to create a single password or you could use a password manager.
- Beware of phishing scams: Cyber criminals can use email, websites and phone calls as a way to steal your information. They are getting cleverer and more realistic, so watch out for warning signs such as incorrect branding, spelling mistakes, an email address with an irregular format, suspicious hyperlinks and an urgent title or request. And be sure to report any suspicious emails as an attachment to [email protected]
- Be mindful of what you share: Do not share or wear your I.D pass out in public or show it on social media. Social engineering is when criminals use tricks or deception to manipulate people into giving them access to data or systems. The more information you share about yourself online, the easier you are to socially engineer.
- Watch out for tailgaters: Tailgating is a physical security breach where an unauthorised person gains entry to protected areas by following a member of staff through security barriers like doors and gates. Don’t be afraid to ask for ID. Insider threats are real, so don’t be scared to challenge.
- Keep up to date with data training: Knowing how to handle data will reduce the risk of service disruption. Data breaches can lead to fines, disruption to services and reputational damage. Make sure you understand and follow the latest guidance around data sharing.
- Lock it down: Never leave your computer or mobile device unlocked. It is much easier to abuse an unlocked laptop than it is to hack into a network.
- Stay safe when using public WiFi: Do you know what network you are really connecting to?
- Make use of the excellent resources available: NHS Digital’s Keep I.T. Confidential campaign is a fantastic way to help organisations promote good cyber security across their workforce. The campaign has an online security awareness toolkit which includes practical steps that staff can adopt into their everyday job, such as setting secure passwords, keeping devices locked when they’re not in use, and being aware of phishing, email scams and social engineering.
Mike added: “I understand how busy everyone is across the NHS right now, but I would encourage everyone to make sure cyber security is a top priority.
“Once you start taking these small steps, they will become a natural part of your day-to-day work, which will in turn help to make a massive difference to protecting crucial information as well as the safety of patients.”