Cyber for Health and Care

National and Regional Risk Visibility. As it stands, the system struggles to unify and collate national and regional views of cyber risk. Local health and care providers are responsible for cyber risk management and adopting tailored methodologies for their environment, but many are without the workforce or capability to do so effectively.   

Supply Chain Resilience. Limited visibility and inconsistent risk management approaches are adopted by health and care providers, when understanding, managing, and assuring the security risks that arise from dependencies on external suppliers and resultant supply chains partners. 

Workforce and Skills. A lack of sufficiently skilled cyber security professionals, both in the health and care system and wider UK market, makes it challenging for healthcare providers to attract and retain expertise required to support leaders in improving their organisational cyber security resilience.  

Emerging/New Technologies. The pace of new digital, data and technology product adoption (e.g. AI and connected medical devices) has increased among health and care providers, presenting an ever increasing challenge to assure the cyber security resilience of new products against emerging international standards. Without assurance, every new technology can present a new risk to an organisation and the wider healthcare system’s ‘defend as one’ ambition. 

Outdated/Legacy Technologies. The health and care system (at all levels) has a continued reliance on outdated and unsupported technologies, increasing the challenge to monitor and replace older technologies that are more vulnerable to cyber-attacks.  

Governance & Regulation. Accountabilities for cyber risk are unclear within this decentralised, complex sector, which has led to uncertainties among health and care leaders on how to govern and assign appropriate resources to dedicate to their organisation’s cyber security resilience.  

• Our Cyber Risk capabilities are helping the NHS to define, design and implement national and regional frameworks for cyber risk management, enabling organisations to standardise methodologies for quantifying risk. KPMG can provide tooling for health and care organisations to quantify the impact of cyber risk investment decision making against policy outcomes, from defining metrics and measures, through to simulating cyber risk scenarios impacting an organisation.  

• Our Cyber Strategy team have helped national and local health and care organisations to develop their cyber strategies to align with the 2030 National Cyber Strategy framework. This complements our Cyber Risk capabilities, enabling health and care organisations to prioritise improvement plans and develop cyber resilience roadmaps - meaning you spend money on activities that focus on the greatest risks and harms impacting your organisation.  

• Our Third Party Cyber Risk team are helping local providers navigate the identification and assurance of critical suppliers and resultant supply chains, from a security and resilience perspective. We are pivoting organisations to adopt a data driven, automated approach to routinely managing and assuring the data and information security risks posed by their organisations’ most critical suppliers. This is executed by collating a single data repository of dependent suppliers, their risk information and resultant supply chain partners, embedding KRIs to track and continually measure risk assurance against an organisations wider risk environment.  

• Our Data Science team have helped define a national model and methodology for a coordinated system approach to critical supplier identification and model for critical supplier management, driven by risk criticality and appetite for directly managing and assuring the resiliency of suppliers in a decentralised and autonomous system.  

• Our Learning and Workforce capabilities are the largest in Europe, and are supporting the public sector to understand current challenges and drivers for attracting and retaining cyber skills.  Our Strategic Workforce Planning tool is powered by AI and enables organisations at all layers of the health and care system to adopt a data driven approach in understanding and forecasting future workforce and skills priorities. Our cyber learning programme is being used to train and reskill specialist staff, alongside nurses and doctors.

Cyber issues are often complex and more than just a technological problem. This is why we bring multi-discipline teams, spanning technology, people (workforce and learning), standards, and governance skills, in order to support health and care organisations to measurably reduce cyber risk exposures, and increase resilience.  

We accelerate this through cyber innovation, powered through technology and specialist insight into live and evolving cyber security threats. We can operate a Cyber Innovation Lab/Factory capability, enabling clients to build and implement the foundations of cyber security resilience, through exploring and piloting the risk consequences and opportunities presented by new digital, data and technologies. In the process, we look to build your in-house capability, transfer knowledge, and leave you better protected, and able to defend yourself going forward.  

In the past year we have collaborated with over 50 different Health and Care providers, on a spectrum of security and resilience services which ranged from strategies, to testing, through to implementation and remediation.