Cyber for health and care

Over the last decade, technological advances and the shift towards digital first services is changing the landscape for the health and care system. The sector’s ongoing desire to meet increased technology demands, on what is already a creaking system, means there is more sharing of data (across organisations and the supply chain) all of whom have differing levels of maturity when it comes to security and resilience.

This therefore increases the risk and attack surface area, and if not carefully managed it can lead to serious security breaches and potential regulatory, reputational, and financial implications. This isn’t just a cyber problem, or an IT problem to resolve, but instead requires a holistic resolution, as recent history has taught us that when security issues occur, it effects the health and care systems ability to provide services to patients, and in turn can negatively impact the experience and outcomes for patients.

Our deep insight is already helping your colleagues test their ability to defend

Our Pen Testing services helped an NHS Trust identify critical vulnerabilities that meant an attacker could access patient data within 6 hours from a phishing campaign.

We know how to help you recover quickly when an incident does happen

We are the Health and Care Cyber Incident Response Partner of choice, and have responded to over 20 critical incidents. So we know what an attack looks like, how to respond, and stop it from spreading through the health and care system.

We can quantify and direct your focus on the greatest risks and harms impacting patient outcomes

We developed a Cyber Risk Investment Guide and Methodology for +200 healthcare providers, enabling limited local security investment resources to be targeted towards the biggest cyber risk reduction impact.

The current system challenges:

National and Regional Risk Visibility. As it stands, the system struggles to unify and collate national and regional views of cyber risk. Local health and care providers are responsible for cyber risk management and adopting tailored methodologies for their environment, but many are without the workforce or capability to do so effectively.

Supply Chain Resilience. Limited visibility and inconsistent risk management approaches are adopted by health and care providers, when understanding, managing, and assuring the security risks that arise from dependencies on external suppliers and resultant supply chains partners.

Workforce and Skills. A lack of sufficiently skilled cyber security professionals, both in the health and care system and wider UK market, makes it challenging for healthcare providers to attract and retain expertise required to support leaders in improving their organisational cyber security resilience.

Emerging/New Technologies. The pace of new digital, data and technology product adoption (e.g. AI and connected medical devices) has increased among health and care providers, presenting an ever increasing challenge to assure the cyber security resilience of new products against emerging international standards. Without assurance, every new technology can present a new risk to an organisation and the wider healthcare system’s ‘defend as one’ ambition.

Outdated/Legacy Technologies. The health and care system (at all levels) has a continued reliance on outdated and unsupported technologies, increasing the challenge to monitor and replace older technologies that are more vulnerable to cyber-attacks.

Governance & Regulation. Accountabilities for cyber risk are unclear within this decentralised, complex sector, which has led to uncertainties among health and care leaders on how to govern and assign appropriate resources to dedicate to their organisation’s cyber security resilience.

How can KPMG help?

Our Cyber Risk capabilities are helping the NHS to define, design and implement national and regional frameworks for cyber risk management, enabling organisations to standardise methodologies for quantifying risk.

KPMG can provide tooling for health and care organisations to quantify the impact of cyber risk investment decision making against policy outcomes, from defining metrics and measures, through to simulating cyber risk scenarios impacting an organisation.
Our Cyber Strategy team have helped national and local health and care organisations to develop their cyber strategies to align with the 2030 National Cyber Strategy framework.

This complements our Cyber Risk capabilities, enabling health and care organisations to prioritise improvement plans and develop cyber resilience roadmaps - meaning you spend money on activities that focus on the greatest risks and harms impacting your organisation.
Our Third Party Cyber Risk team are helping local providers navigate the identification and assurance of critical suppliers and resultant supply chains, from a security and resilience perspective.

We are pivoting organisations to adopt a data driven, automated approach to routinely managing and assuring the data and information security risks posed by their organisations’ most critical suppliers. This is executed by collating a single data repository of dependent suppliers, their risk information and resultant supply chain partners, embedding KRIs to track and continually measure risk assurance against an organisations wider risk environment.
Our Data Science team have helped define a national model and methodology for a coordinated system approach to critical supplier identification and model for critical supplier management.

Driven by risk criticality and appetite for directly managing and assuring the resiliency of suppliers in a decentralised and autonomous system.
Our Learning and Workforce capabilities are the largest in Europe, and are supporting the public sector to understand current challenges and drivers for attracting and retaining cyber skills.

Our Strategic Workforce Planning tool is powered by AI and enables organisations at all layers of the health and care system to adopt a data driven approach in understanding and forecasting future workforce and skills priorities. Our cyber learning programme is being used to train and reskill specialist staff, alongside nurses and doctors.

Our cyber insights

SECURE

Governance and risk

The target operating model for cybersecurity in the NHS should be designed to effectively manage and mitigate cyber risks, protect sensitive patient data, and ensure the continuity of healthcare service.

SECURE

Privacy threats

The healthcare industry faces an increasing number of threats to privacy, cybersecurity, and resilience. Explore the threats that pose significant risks to privacy, cybersecurity, and resilience in healthcare.

TRANSFORM

2050 Healthcare

The year 2050 is often associated with a vision of advanced technology and significant societal transformations. Imagine how the healthcare system might evolve to meet the changing needs of individuals and communities.

TRANSFORM

Connected devices and services

The increasing use of connected medical devices in the National Health Service (NHS) has revolutionised patient care and improved treatment outcomes. What are the new challenges and threats to the security and integrity of healthcare systems?

TRANSFORM

Connected devices and services

The increasing use of connected medical devices in the National Health Service (NHS) has revolutionised patient care and improved treatment outcomes. What are the new challenges and threats to the security and integrity of healthcare systems?

ADOPT

Innovations and ethics

What is on the horizon for healthcare technology that is set to improve patient outcomes, enhance efficiency and enable accessibility? These innovations are set to revolutionise our approach to healthcare.

ADOPT

Safeguarding data

According to recent statistics, cyberattacks targeting healthcare organisations have increased by a staggering 350% since 2017. Explore essential steps healthcare organisations can take to create a cyber secure and resilient healthcare system.

ADOPT

Smart hospitals

A guide on the key considerations for building facilities that is technology advanced to create patient-centric environments.

ADOPT

Technology & care

Explore key elements that define the healthcare system of the future in light of transformative shift, rapid developments in technology and evolving patient expectations.

SECURE

Cyber security strategy

Safeguard patient data, protect critical infrastructure, and ensure uninterrupted delivery of care, a robust cyber strategy is crucial.

SECURE

Operations and efficiency

Adopt innovative approaches that can enable the NHS to improve patient outcomes, enhance efficiency, and address the complex challenges faced by the processes and systems that exist.

Why choose us?

Cyber issues are often complex and more than just a technological problem. This is why we bring multi-discipline teams, spanning technology, people (workforce and learning), standards, and governance skills, in order to support health and care organisations to measurably reduce cyber risk exposures, and increase resilience.

We accelerate this through cyber innovation, powered through technology and specialist insight into live and evolving cyber security threats. We can operate a Cyber Innovation Lab/Factory capability, enabling clients to build and implement the foundations of cyber security resilience, through exploring and piloting the risk consequences and opportunities presented by new digital, data and technologies. In the process, we look to build your in-house capability, transfer knowledge, and leave you better protected, and able to defend yourself going forward.

In the past year we have collaborated with over 50 different Health and Care providers, on a spectrum of security and resilience services which ranged from strategies, to testing, through to implementation and remediation.