Cyber security at SH:24

Last week a major ransomware attack (WannaCry) infected over 230,000 computers in over 150 countries harnessing a weakness in out-of-date Microsoft software.

Victims of the attack included many large businesses as well as the NHS - as was widely documented in the media. Although many NHS Trusts were affected (which caused major disruption such as the cancelling of operations) it was a small proportion of the overall services provided by the NHS which were running up-to-date versions of Microsoft software.

The attack is an important reminder of why it is important for any organisation that utilises the power of digital (most these days) to treat cybersecurity as a number 1 priority - which we always have done and will continue to do at SH:24.

SH:24 was affected in no way by the ransomware attack. All of our computers were up-to-date and therefore not vulnerable to the attack.

However, more importantly the way we store our user information is geared towards ensuring it remains confidential and secure - so that in the event of such a ransomware attack it would not threaten the security of our data.

When we were designing the service users told us that the confidentiality of the information they supply when ordering a test must be paramount - which mirrored our own feelings and the requirements of the bodies that regulate services like ours.

At SH:24, no personal identifiable data (PID) relating to our users’ orders are kept on individual computers - all PID is stored in highly secure and resilient datacentres hosted by one of the UK’s leading suppliers in this field. Added to that no PID is contained within the kits we send out (as is frequently the case for home testing services).

Our clinical team (who support results notification and the management of orders) can only access the data using a 3-step authentication process - which mirrors the level of security used for internet banking.

When it comes to our website we have a rigorous approach to updates so that it’s both the best it can be functionally and security wise. Any critical security updates are updated immediately and non-critical updates on a weekly basis.

In addition to a 24/7 IT support team team monitoring and testing the health and security of our service we also undertake a range of other frequent measures to test the robustness of our information security. This includes commercial penetration testing where professional testers try to identify vulnerabilities in the service, external information governance audits, and disaster recovery exercises - to name but a few. Since the service went live in early 2015 we have had no security breaches nor identified vulnerabilities to user data.

We take the security of our service as seriously as you would expect us to and we’ll continue to monitor and proactively work to mitigate the risk of potential security risks to the SH:24 service - if you have any questions about our data security do drop us a line: info@sh24.org.uk.