Back to News
Cyber Awareness Month 2024

Cyber Hygiene: A Strategic Imperative for the HSE


Cyber hygiene encompasses a set of practices designed to secure the digital assets of patients and our wider organisation. It involves maintaining the security, health, and resilience of systems, devices, networks, and data to protect against cyber-attacks and data breaches.

For the HSE and wider connected healthcare organisations, ensuring that all staff understand these principles and follow them consistently is vital. As we know, the consequences of a cyber-attack in this sector—whether data theft, system breaches, or ransomware—can be devastating, not just in financial terms but also in terms of patient care, trust, and safety. As employees, it is our duty to ensure a culture of proactive cyber vigilance across all levels of the organisation.

Phishing: A Persistent and Growing Threat

Phishing attacks remain one of the most common methods for cybercriminals to infiltrate systems. These attacks often involve deceptive emails or websites masquerading as legitimate sources, aiming to harvest sensitive information such as passwords, banking details, or other personal data. Despite the deployment of sophisticated email filters, vigilance among employees remains essential.

For instance, in September 2024 alone, the Health Service Executive (HSE) processed 6.6 million inbound emails, blocking nearly 469,000 for various security reasons, including spam, viruses, and policy violations. Nevertheless, phishing attacks continue to succeed across the industry because human error is often the weakest link. Verizon’s data underscores that the median time for users to fall for a phishing email is less than 60 seconds.

It is essential therefore that all employees are educated in recognising the signs of phishing, such as suspicious email addresses, poor grammar, or requests from unknown senders. Notable examples include emails impersonating banks, delivery services, or legal authorities. To combat this threat, staff must undertake the Cyber training programme on HSELanD to help raise their skills in identifying risks and enable them to report any suspicious communications.

Social Engineering: Exploiting Human Trust

Social engineering represents a broader category of manipulation where criminals attempt to trick individuals into revealing sensitive information or granting access to secure systems. Unlike phishing, which primarily involves digital communication, social engineering can occur via phone calls, in-person interactions, or other forms of contact.

Common tactics include impersonating employees, exploiting perceived authority, or fabricating emergency situations to pressurise victims. A key defence against social engineering is ensuring that HSE staff can verify identities through secondary channels and refrain from sharing sensitive information without due diligence.

The Dangers of Public Wi-Fi

Public Wi-Fi networks are another avenue for cyberattacks. Malicious actors often target these unsecured networks to intercept online activities and steal confidential information. All HSE staff should avoid using public Wi-Fi for sensitive tasks, such as online patient information sharing or accessing HSE systems, unless they are equipped with a reputable Virtual Private Network (VPN). By ensuring that our employees adhere to these best practices, we can significantly reduce HSE exposure to cyber risks in everyday operations.

Strengthening Password Security

Password management remains a cornerstone of cyber hygiene. Weak or reused passwords expose organisations to significant risks, with approximately 80-90% of ransomware attacks originating from unmanaged or insecure devices. The National Cyber Security Centre (NCSC) advises using strong, complex passwords. This can be based simply on a combination of three long, random words. Multi-Factor Authentication (MFA) is also encouraged wherever possible to add an additional layer of security.

One of our key objectives is to ensure that HSE employees are not only creating secure passwords, but they understand the tactics criminals use to bypass MFA, such as MFA fatigue attacks, where users are bombarded with repeated verification requests. Educating staff on the importance of resisting these manipulative strategies is crucial for safeguarding organisational systems.

Securing Removable Media

The use of removable media, such as USB drives is needed in some areas of HSE service delivery. However, it presents additional risks. Sensitive information stored on these devices can be easily lost or stolen, potentially leading to a serious data breach. The HSE currently provides encrypted USB devices for such purposes which must only be used in line with HSE policies.  

Removable media found in unsecured locations should never be inserted into company systems, as this could provide a backdoor for attackers.

Physical Security: The First Line of Defence

Cybersecurity does not end with digital safeguards; physical security is equally important for HSE ICT assets, whether in the office or working from home. Simple actions such as locking a screen can prevent unauthorised access and data theft.

In conclusion cyber hygiene is not solely the responsibility of the HSE Technology and Transformation function. It requires an organisational-wide commitment from every HSE employee and HSE contractor. It is a strategic imperative and team game for the HSE where every individual plays a pivotal role. 

By adopting a culture of awareness, continuous education, and vigilance, the HSE can not only protect its digital assets but also safeguard the trust of our patients and communities we serve.

As the threat landscape evolves, so too must our defences. Remaining proactive and upskilled is the only way to mitigate the risks that threaten our services, and I thank you for your support in protecting our organisation.  

Full details on the HSE CISO can be found here