Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: guidance for directors of public health

Building a cyber resilient service guidance for directors of public health
This document aims to support you to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

Introduction

This page details supplementary guidance specific to council planning services. Full guidance and steps can be found in our guidance document.

Shades of blue

Step 5: Be clear on why your service may be targeted

Consider the three categories of harm caused by a cyber attack: being robbed (theft of money, data, or intellectual property), being weakened (espionage, political interference, or prepositioning) and being hurt (ransomware and destructive or catastrophic attacks). 

  • Which of these motivations is most relevant to your public health team? 
  • What data do you have that makes your service vulnerable? 
  • Is special category data theft at the top of your list? 
  • Would there be special category data of value or other data of value? 
  • All councils control and safeguard digital data of interest to malicious actors, making them a target.[1] 

Public Health services, and teams within your directorate, are supported by a huge amount of special category personal data amongst all other data types. This amount and type of data makes your service vulnerable to cyber attacks and means the impacts to staff, residents and council services can be very damaging. Attackers may be looking to steal sensitive data for resale or to perpetrate further criminal acts, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data and the need to keep services running.   

In the context of public health, protecting special category data is of utmost importance for several reasons:

  • privacy and dignity
  • legal and ethical obligations
  • informed consent
  • trust and public confidence
  • preventing discrimination and stigmatisation
  • data security and breach prevention
  • research integrity
  • individual rights and empowerment.

Figure 1: Commonly held Public Health services data

 

  • Personal details – Names, addresses, gender, dates of birth, and contact details for the individual.
  • Contact details – Name and contact details of any person with parental responsibility, or who has care of an adult/child at any time.[2]
  • Health data – NHS number, name and contact details of any person providing primary medical services in relation to a child/adult. [3]
  • Social care data – Adult/Child level data, information about any safeguarding concerns, child protection plans, and any involvement with Public Health social care services.
  • Public Health data – Information about any court orders or Public Health proceedings related to the individual.
  • Health Promotion and Education – Campaigns to promote healthy behaviours.
  • Educational programmes on topics like nutrition, exercise, and sexual health.
  • Immunisation Programmes – Management and promotion of vaccination programmes.
  • Disease Surveillance – Monitoring and reporting of infectious diseases and other health indicators.
  • Environmental Health – Monitoring and controlling factors that can affect public health, such as air and water quality, food safety, and sanitation.
  • Health and Wellbeing Strategy – Developing strategies to improve the overall health and wellbeing of the local population.
  • Health Inequalities Reduction – Initiatives to address and reduce health inequalities within the community.
  • Mental Health Services – Promotion, prevention, and treatment services for mental health.
  • Maternal and Child Health Services – Antenatal and postnatal care, child health clinics, and family planning services.
  • Emergency Preparedness and Response – Planning and coordination for public health emergencies and pandemics.
  • Data Collection and Analysis – Collecting and analysing health-related data to inform decision-making.
  • Public Health Reporting – Regular reporting on the state of public health in the local area.
     

Shades of blue

Step 6: Be clear on the impact of a cyber attack

Below are a few examples of the way in which a cyber attack could affect your service area and things you should consider when preventing or recovering from a cyber attack:

 

Figure 2: Example of service impact on public health services

During a cyber attack you may have no access to the internet or your networks within which documents are stored. You need to consider how the loss of internet access might affect your critical services, and how you could keep them running – you may need alternative manual processes in place to keep a skeleton service operational.

An example of a service level impact from a public health perspective would be that a cyber attacks would potentially compromise communication systems within healthcare organisations. 

This would seriously hinder the coordination among healthcare professionals, leading to potential mismanagement of patient care, prescription errors, and almost certainly delayed responses to emergencies.

Things to consider:

  1. What are the critical services operated by your team rely on internet access?
  2. Which of these critical services are prioritised to get back online first?
  3. Create offline records and plans for use during an attack and ensure all teams have access to them.

 

Figure 3: Example of financial impact on public health services

If a cyber attack was to impact your team’s services, it could affect the financial systems that you operate. For example, your systems may experience significant operational downtime as a result of the incident. During this period, healthcare services, including appointments, treatments, and administrative processes, come to a halt. The financial losses accumulate due to the inability to deliver and bill for services. 

Things to consider:

  1. How long will the systems be down, and what is the potential impact on critical healthcare services, patient care, and emergency response during this period?
  2. What revenue-generating services are affected, and how will the backlog of postponed appointments, treatments, and procedures impact revenue and workload once systems are restored?
  3. How will communication breakdowns and compromised services affect the public's trust, healthcare professional coordination, and the reputation of the public health system?
  4. What are the financial implications of operational downtime, including emergency response costs, additional communication measures, and efforts to catch up on postponed services? Are there contractual obligations that may result in financial penalties?

 

Figure 4: Example of data impact on public health services

The attackers have access to comprehensive medical histories, including details of illnesses, medications, and previous treatments. This sensitive health information is at risk of being misused or sold on the dark web.

The cyber attackers threaten to publicly disclose the compromised data unless a ransom is paid. This adds pressure on your team to respond quickly to prevent the exposure of public health information.

Areas to consider:

  1. What types of data were compromised, and how sensitive is the information? Consider both personal details and medical records to gauge the severity of the breach.
  2. How many individuals are affected by the data breach? Assessing the scale helps estimate the potential impact on identity theft and fraudulent activities.
  3. How is the organisation responding to the breach, including considerations for paying a ransom, potential public disclosure, and efforts to rebuild public trust?
  4. What measures are in place to prevent future breaches?
  5. Consider strategies for regulatory compliance, identity theft prevention, and enhancing cyber security to mitigate the risk of future attacks.

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Table 1: Storing data

Theme Context  Areas to consider
Databases

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?
Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks. 

Does all hardware support updated systems?

How often does staff training take place?

 
Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?
Backups

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

 

Table 2: Managing data

Theme Context  Areas to consider

Handling sensitive data

 

Due to the nature of the work your service delivers, you will be handling sensitive data on a day-to-day basis, both electronically and physically. 

Your team must take extra precautions to protect the sensitive information outlined above.

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?

Access controls

 

To ensure this sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting public health data.

 

How is sensitive information stored in your service? 

How is it protected?

Who has access to data storage systems?

How often does your team review accesses?

How often does training take place?

How often are passwords changed?

Is multi-factor authentication in use across programmes?
Regular audits

Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards, e.g., ensuring data is only held for a relevant amount of time or is stored in the correct system. 

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

 

Data protection regulations

 

In the UK, we operate within public health regulations for data management, mainly General Data Protection Regulation (GDPR). 

It is your obligation to ensure that your team complies with these data protection regulations to protect public health related personal data.

Are your team aware of the UK GDPR regulations and how they affect your work?

How often does proper staff training take place?

Record keeping

 

Accurate and up-to-date record keeping is essential in public health services to ensure that important information about public health and their families is available when needed. 

Records should be kept securely and in accordance with relevant legislation, and regular audits should be carried out to ensure the accuracy and completeness of the records.

How often do your team update records?

How are records stored and updated?

Risk management

 

 Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of public health data. These risks should be added to the corporate risk register and raised to SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

 

Table 3: Sharing data

Theme Context  Areas to consider

Collaboration and safeguarding

 

Sharing information enables practitioners and agencies to identify and provide appropriate services that safeguard and promote welfare.

However, information sharing must be done in accordance with relevant legislation.

Effective information governance practices, such as assigning responsibility for data management (DPO), providing training on data protection and confidentiality, and implementing secure IT systems and procedures, are essential to ensure that data is managed securely and appropriately. 

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that information is being shared safely by members of your team?

Consent

 

As set out in the Data Protection Act 2018, you do not need to seek consent before collecting, processing, or sharing information regarding public health who may be at risk. 

It is, however, considered to be good practice to inform a parent or carer when sharing data.  

You must also be clear about your purpose for sharing information.

Are all staff aware of consent rules and regulations?

Are your team clear on when they need to gain consent for sharing data?
Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

You will need to have a robust and prearranged process in place for sharing information securely, so nothing is shared inadvertently. 

In addition to this, most IT systems will have a process in place for restricting sensitive records but if you are working offline then you’ll need to consider additional security measures for these cases. 

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

 

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 
Awareness

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?
Training

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

 

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

 
Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?
Workforce A large amount of agency staff may be being used by your service.  How can you integrate cyber secure practices into this temporary and externally managed workforce?

 

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership Procurement practices should be co-owned by IT, procurement, and public health, which will ensure that products are understood from a business and technical perspective.

Do members of your team work closely with other teams during the public health process?

What barriers are in place during this process?

What needs to change in order to streamline this process?
Public Health

Your service should take steps to ensure that external providers are subject to rigorous public health processes that assess their security controls and measures. 

This may include assessing their security policies, performing security audits, and ensuring that they comply with relevant security standards and regulations.

Does your service consider cyber security in any public health process?

How do you seek assurance that this has taken place?
Contract management Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?
Monitoring and reporting Regular monitoring and assessment of external providers' security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

 

Table 6: Legislative Implications (not exhaustive)

Law/ Regulation Cyber security Implications
Public Health Act 1936 Cyber security measures are needed for protecting health data collected, stored, or processed under this act.
National Health Service Act 2006 Robust cyber security measures essential for securing patient information, medical records, and healthcare systems.
Health and Social Care Act 2012 The overall security of health-related data and systems is crucial, especially as local authorities take on public health responsibilities.
Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 Cyber security measures are required to safeguard patient data and ensure compliance with regulations regarding health and social care activities.
Public Health Act 2017 and Health and Social Care Act 2012 Cyber security safeguards the technological infrastructure supporting public health initiatives. As public health services increasingly rely on digital platforms and technologies, protecting these systems from cyber threats ensures the continuity and integrity of essential services outlined in these acts.
Freedom of Information Act 2000

Cyber security is crucial to maintaining the integrity of information held by public health services. 

Unauthorised access or manipulation of data could compromise the accuracy and reliability of information disclosed under freedom of information requests, impacting compliance with this act.
Human Rights Act 1998

Cyber security measures are essential to safeguarding individuals' right to privacy. A breach compromising health data could infringe on this right, leading to legal implications. 

Balancing the use of technology in public health with privacy considerations is crucial to align with the principles of the Human Rights Act.


 

Health and Safety at Work Act 1974

In the context of cyber security, this act extends to ensuring the well-being of employees in the digital workspace. 

Cyber security measures protect staff from potential risks associated with cyber threats, contributing to a safe and secure working environment.
Children Act 1989 and 2004

Cyber security is crucial in protecting the personal information of children involved in public health services. 

Ensuring secure handling of data is essential to comply with child protection laws and to safeguard the privacy and well-being of minors
Mental Capacity Act 2005

Cyber security measures are necessary to protect the confidentiality and integrity of sensitive mental health information. 

Breaches could compromise the rights and well-being of individuals covered by this act, emphasising the importance of robust cyber security practices
The Health and Social Care (Safety and Quality) Act 2015

Cyber security measures are necessary for safeguarding patient safety and healthcare quality data.

This includes protecting information related to healthcare standards and quality improvement initiatives.
The Human Medicines Regulations 2012

Ensuring the cyber security of data related to human medicines is critical. 

This includes protecting information on drug approvals, clinical trials, and safety monitoring.
The Health Protection (Coronavirus, Restrictions) (Self-Isolation) (England) Regulations 2020

Enhanced cyber security measures for handling sensitive data related to COVID-19, ensuring secure communication and data sharing.

Data sharing was a massive part of this regulation and was done so very badly. [4]