The global malware attack which petrified the NHS has thrown into sharp relief that IT security is a health and safety issue.
Ransomware such as that used in the attack on the NHS and others works by blocking access to data until or unless a ransom in paid. And as we have seen, even if paid there can be no guarantee that access will be restored.
It can easily be imagined that if an organisation has no access to vital health and safety documentation such as risk assessments, lone worker systems and the like, that can only heighten operational health and safety risk. And of course a cyber-attack can affect businesses of all types and sizes: not just major manufacturing concerns but small businesses and SME’s.
How then to address this? Well sensibly, the suggestion is that that those responsible for managing health and safety in organisations should be in discussion with those responsible for IT security over back up of vital health and safety documents such that in the face of an attack they can remain accessible from a secure location.
Reflective of the health and safety risks posed by cyber-attack is that the Health and Safety Executive (“HSE”) have published operational guidance on cyber security for their own Inspectors. The guidance calls upon dutyholders at major hazard sites to manage the health and safety risks arising from a breakdown in cyber security. Think computer controlled operating systems in the chemical, tank storage and petroleum industries and the effects a cyber-attack may have on IT controlled pressure valves or temperature systems. The HSE are working with major hazard industry bodies as well as with the National Cyber Security Centre (NCSC) in the development of suitable guidance. Moreover the HSE’s 2017/18 business plan commits the HSE to draw up a new cyber strategy.
The common principles here though as between the management of “traditional” health and safety risks and those raised as a consequence of cyber-attack will likely be the same: application of good practice; a proper assessment of the hazards and risks posed and application of appropriate risk reduction measures. Where in either organisations fail to apply or uphold these principles then enforcement action would be the natural and expected consequence with financial and reputational pain not only for the organisations but for responsible individuals within them.
Some have criticised the HSE as being somewhat behind the curve in this area but they are clearly catching up and it may not be long before we see HSE enforcement action against those who fail to protect their IT systems adequately with consequential health and safety risk.