Healthcare companies in the UK can now access government funds to improve the cybersecurity of their products. Digital Infrastructure Minister, Matt Warman, has announced that £500,000 in funding has been made available by the government. It comes after the National Cyber Security Centre (NCSC) warned that the pandemic had increased attacks by cyber gangs. It says that they are: “attempting to steal sensitive intelligence, intellectual property and personal information from pharmaceutical companies and medical research organisations.”
Announcing the funding, Warman said: “We know there is a heightened cyber threat for healthcare businesses at the moment so we are releasing new funding to help those playing a vital role in the pandemic response to remain resilient.
“I also urge all organisations to sign up to the government’s Cyber Essentials programme which contains a number of simple steps firms can take to get the fundamentals of good cybersecurity in place.”
What does the deal offer healthcare firms?
Read deeper into the announcement, and this is not about a handout. Companies cannot expect to receive a cheque to spend as they choose. The government has limited what the money can be spent on.
The funding is to support cyber certification and training. The goal is to help medical suppliers and primary care providers get Cyber Essentials certified. The main focus is on devices and security training for employees and administrators.
The funding will also give those who apply access to support from a cyber expert. They will help an organisation understand its cybersecurity risks and develop the appropriate business continuity plan.
What is missing from this funding is training for developers and system architects. There is no direct access to penetration testing, which will identify what routes a cybercriminal can use to get into a system. It also fails to talk about data classification and encryption.
Enterprise Times: What does this mean?
Healthcare is one of the largest employers in the UK. Across both the public and private sector, it employs over 3 million people and contributes over £70 billion to the UK economy. It boasts a large number of SMEs involved in research, often focusing on a single disease. Given the potential revenue from developing a new drug, the industry is generally much better than other sectors when it comes to data security.
However, COVID-19 has brought much focus on the sector. Attacks from state-sponsored cybercriminals seeking access to intellectual property have soared. This has begun to expose weaknesses in the security of these organisations. What is worrying is the narrow focus of this announcement and the pitifully small amount of money on offer.
The NCSC says that Cyber Essentials will protect businesses from 80% of attacks. While that will protect against low-level cybercriminals, it is less effective against state-sponsored attackers. It is unclear, therefore, exactly what this push is about.
The UK government has also made it mandatory for all organisations bidding for central government and MOD contracts. It seems strange that there are so many SMEs that do not hold this certification. It will be interesting to see how many apply for this money and whether the government expands the funds and services it can be spent on.