Protecting front-line healthcare services

Author: @SarahASmith75

As the situation with COVID-19 continues to develop, this is putting a strain on the availability and continuity of healthcare services.

Whilst it is generally accepted that social-distancing can slow the velocity of infection; the number of cases is set to rise over the coming weeks and months. Those most at risk are elderly and/or have underlying medical conditions. Healthcare professionals in regular contact with suspected and actual cases also increases the likelihood of them becoming ill and needing to self-isolate.

This increased demand and shortage of resources can lead to secondary incidents and failures, particularly with the availability of buildings, facilities and IT services.

So what can healthcare services do to protect themselves from the potential impact of COVID-19?

From a business continuity perspective, we will consider 3 key scenarios:

  1. Availability of buildings and facilities
  2. Availability of key IT systems
  3. Availability of key people
  1. Availability of buildings and facilities

As the number of people requiring treatment and hospitalisation rises, so does the demand for specialist buildings and facilities.

Intensive care facilities and ventilators require round-the-clock availability of power, which increases the potential for failure.

In addition, people in hospital for other reasons may need to be segregated to reduce their likelihood of exposure.

Things to consider:

  • Resilience of buildings to utilities failure
  • Testing of on-site and mobile generators 
  • Diesel storage for generators
  • Turning off non-essential services to reduce load
  • Physical separation and zoning of areas 
  • Increased cleaning and waste disposal to reduce secondary infection vectors
  • Use of hotels for staff and non-critical patients
  • Use of portable cabins or marquees for triage
  • Use of mobile catering units 

2.     Availability of key IT services

Not only is access to IT systems and data required for managing patients, it is also needed for reporting and modelling.

In crisis situations, IT systems and data are at risk from cyberattacks and data breaches as criminals look to exploit the situation or cause further disruptions.

Things to consider:

  • Ability to flex capacity and performance to meet demand
  • Proactive monitoring and system checks
  • Regular backups of systems and data
  • Security and awareness training
  • Ability to failover IT services in the event of failure or corruption
  • Ability to shut down non-essential services
  • Manual workarounds if key IT services not available
  • Use of third parties to provide additional IT support 

3.     Availability of key people

This goes beyond medical and care professionals and extends to ancillary staff to support the buildings, facilities and IT services.

When managing a crisis, people tend to work longer hours to deal with demand, but this can often be counter-productive due to fatigue and susceptibility to illness. 

Things to consider:

  • Prioritise essential and critical services
  • Perform key skills gap analysis
  • Perform additional training and awareness
  • Enforce strict breaks and rotation of shifts
  • Assess transport needs for staff and patients
  • Request additional support from private sector:
    • First aiders
    • Health and safety professionals
    • Security guards
    • IT professionals
    • Catering
    • Laboratory technicians
    • Child carers and teachers
    • Drivers

Vast numbers of people are being affected by COVID-19, either directly or indirectly.  It is vital to protect front-line healthcare services from buildings, facilities and IT failures, to ensure people can get access to the care and support they need. 

By working together, we can enable the continuity and availability of these essential services.

Thanks to @SarahASmith75 for creating this great post! We will be working out a wider process for volunteer submissions in the near future; in the meantime, please contact @UK_Daniel_Card or @LisaForteUK.

Supporting the world in cyber space

An unchartered path

We are working away in the background, as many of you can probably imagine, there are a huge rang of logistical challenges in our path. Healthcare (and other sensitive/critical services) is not somewhere where we can just rock up and start jumping on systems and networks, even just organisationally and from a comms point of view the challenges aren’t small. We want to make sure that as a group we can help no matter where we are.

A Force for Good

To this end we are formulating ideas for initiatives whereby we can support our healthcare services from an internet perspective.

Our thinking in this space is along these lines:

  • Phishing Reporting
  • Malware Analysis
  • OSINT/Threat Intelligence
  • Malicious Website Takedowns
  • COVID19 ‘Opportunity Abuse’
  • Social Media Amplification
  • Creation of helpful content around good cyber security guidance
  • Sharing of useful resources and trusted services

We are taking a cautious approach with how we enable this group, we are doing a huge amount of work talking with partners, volunteers and technical solution providers, but we also MUST ensure that the work we do is conducted inline with our mission to HELP (not hinder)! We’ve put together a code of conduct to help support this!

If anyone has any suggestions for other ways we can support, please get in touch with the team on the LinkedIn group.

Active Defences – Protective DNS

Introduction

The NCSC provide a range of services for public organisations (such as the NHS). Part of these include active defence services. One of these is protective DNS!

Protective DNS

Protective DNS acts as a sink holing mechanism to help prevent an unsuspecting web user from visiting a malicious site (such as a phishing site or one hosting malware). Well what’s that?

So DNS acts as an address book, you enter a URL e.g. www.google.com and your device does a look up to its name server, if the address exists it will return back a valid response. Now protective DNS is where rather than forwarding your requests to raw internet DNS servers, we use a managed service which has a constantly updated list of known malicious sites, etc. That way, if you try and visit a bad site, you get given a safe address and your device doesn’t even get there! Now my explanation here is really simple, it’s a bit more complex in reality. Luckily the team at NCSC have written up a far more in depth view of this.

https://www.ncsc.gov.uk/information/pdns

If you are a public organisation hopefully you’ve already got this and a load of other controls deployed, however I wanted to highlight this again, as if you are a public sector organisation you can request and leverage this as one of the ways to help prevent the impact of phishing and typos, etc. (I typo all the time!)

For those of you who are operating at a personal or business level, there are a range of commercial and free services available such as:

https://www.opendns.com/

https://www.quad9.net/

Another line of defence

So, no matter how big or small your organisation is, and if it is public or private you can implement protective DNS as one of the many controls required to keep you safe from cybercriminals. Remember, you need a layered approach to cyber security and protective DNS is just one of those that can be a great way to fight back!

Building the right foundations

In response to the initial concept we have had a huge level of response from volunteers. We do however realise that in order to be effective we need to have some structure and need to do a level of planning at the backend to ensure the following:

  • Healthcare providers are aware of the intent.
  • Healthcare providers know how to request support
  • That there is the appropriate processes and procedures in place to put HC providers in contact with volunteers

This list isn’t exhaustive, there are lots of things to consider when setting up a volunteer organisation, so please bear with us. We are in talks with both healthcare providers and government agencies to make sure we get this off on the right foot, that we have a suitable structure and that ultimately we can all help support our great healthcare providers in a manner which gives them the help and support they need, in the manner they need it.

Please bear with us as we develop and grow this, we are trying to move at pace but also ensure we focus on our primary objective of delivering actionable support to healthcare, we already are working with NHS trusts.

In the meantime we ask that people join our LinkedIn group whilst we co-ordinate across healthcare providers, volunteers, vendors and various agencies.