When selecting a new digital care planning platform, information security should be a key consideration for making sure the platform is suitable and secure for your care service. From GDPR requirements for data processing and controlling, data backups and who can access data, to accreditations such as ISO and Cyber Essentials Plus, there are a host of things to consider when using a new platform. We’ve put together this guide to help you make sense of it all and how Nourish goes above and beyond to ensure data in the system is protected to the highest level.
The General Data Protection Regulations “GDPR” is embedded as part of everything we do at Nourish and we continually review and improve our processes to ensure best practice and compliance with the regulations. This includes; vetting suppliers for their own data practices, data sharing agreements with integration partners, Data Protection Impact Assessments and improving data security for our customers in every way we can. Nourish’s compliance with GDPR is monitored and audited as part of the below certifications.
In 2019, Nourish became one of the first digital care planning providers to implement and obtain a UKAS accredited ISO 27001 certification. In November 2023, Nourish transitioned to the latest 2022 version of the standard, giving confidence to all our current and potential customers that we have the latest and best processes in place to protect information across our entire organisation.
ISO 27001:2022 provides organisations with a framework and controls to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS). This accreditation underpins our security at Nourish; with annual external audits, monthly training sessions, regular meetings to discuss ISMS issues and managerial buy-in to the processes, to ensure our continuous improvement of security. The requirements for accreditation are stringent and based on three security principles:
Nourish achieves these three principles by the implementation of the 93 controls across; organisational, people, physical and technical themes that make up the latest standard, ensuring that Nourish has thoroughly considered risks and has treatment plans in place to mitigate them.
Implementing a certified information management system such as ISO 27001:2022 has enabled Nourish to work in the safest and most efficient way.
As a company providing software, Cyber Security is often a topic for conversation. How do we protect ourselves further, can we make improvements, what is new that we need to protect against?
Nourish has achieved and maintains the Cyber Essentials Plus certification, adding to our Data Security certifications which work alongside our ISO 27001:2022 certified Information Security Management System. This ensures the safety and security of all data at Nourish and helps to prevent being an easy target for hacking or phishing schemes. To find out more about what you can do to protect your care service from phishing emails read our blog here.
Cyber Essentials is a government-backed scheme aimed towards preventing attacks from the outside. Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme, it includes a thorough exploration of security systems, experts carrying out vulnerability tests on an annual basis.
Gaining the Cyber Essentials Plus certification is a key part of being able to offer our customers, partners and suppliers’ complete confidence in our ability to handle their data and keep it secure.
Holding data requires storage, Nourish backs up data continuously to a cloud-based system. Nourish does not use onsite data stores and all cloud-provided solutions are backed up automatically and built into our disaster recovery plan and testing.
The accreditations above are just some of the ways Nourish ensures sensitive information and personal records are kept secure and protected and allows us to stay on top of data protection and Information Security.
Nourish continuously improves its data and cyber security to keep ahead of security improvements and recommendations to limit the chance of breaches or attack. Our main aim is to keep all data safe, accurate and available at all times.
To find out more about information security management and our digital care management platform – click here to book a demo
Phishing has been in the news and on social media a lot in recent months. Have you received an email from HMRC, PayPal, your bank, delivery companies like UPS, or maybe you’ve received an email claiming ‘you’ve won an iPhone!’? These are common examples of phishing emails aiming to catch you out.
A phishing email is designed and targeted by cybercriminals or ‘hackers’ to create the illusion of a genuine email. They normally claim to be a company that does exist, but the email will not be from the genuine company. For example, they could be trying to look like a delivery company that was ‘unable to deliver your parcel’ or HMRC with ‘fraud that needs to be actioned’. These emails can look very genuine but will have dangerous consequences. Most often these emails will contain a link that when clicked by the user will usually ask for some sort of personal details or can place viruses or software onto your device.
Nourish has noticed an increase in attempted phishing emails in the sector over the last 6 months, these emails are targeted and can look very genuine. Some phishing emails have come to us pretending to be from companies such as care providers, NHS, HMRC, Microsoft and many more, some of which have been very good copies. These emails look exactly like a message from an organisation or person you trust. Official sources should never be asking you for any sensitive information via email.
Attacks can cause serious problems if not handled correctly or caught early. The hackers can install malware or ransomware, sabotage systems, steal intellectual property or money, steal or lock access to data or personal information.
The costs to recover this can be very large if they ever do return the property or data they have stolen or accessed. They simply may publish the information which could lead to claims or reputation damage.
The cost of productivity to recover or recreate what is stolen or lost may also cost a company significantly.
It can cause loss of customers if trust is broken, and they may no longer trust the organisation to keep their information or customer data safe.
Financial costs of fines or penalties for breach of regulatory requirements would also be a considered factor if there is more that could have been done to prevent the attack.
Knowing for sure is impossible however, some key things to look out for to identify a phishing email are:
If you believe an email may be suspicious or phishing, ensure firstly that you do not click on any links or attachments. If you think it might not be genuine but is something you are unsure about, find a phone number for the company on another source and call to validate.
If the email is sent from a person you think you might know, contact them on another method of communication to ensure that they sent the email.
Most email providers allow a reporting option to report any suspicious emails, this allows email systems to improve the detection of phishing emails. Some providers will also spam emails into a separate spam inbox.
Finally, when you suspect or think it is a phishing email delete the email from your inbox to avoid accidentally clicking or opening in the future.
First, don’t panic! Make a note of everything you can remember happening, especially taking a note of any information you think they may have gathered from you during the phishing attempt.
Change any passwords as soon as you realise you may have been compromised, also changing the password if it is used elsewhere.
Where possible check any access to the account in question to see if any new attempts have been made to access it.
If this attack was on a work or school computer, contact the appropriate person or IT Department as soon as possible in order to start working toward securing all accounts where possible.
If you shared any information including card or bank details contact your local police, bank and card company as soon as possible as they will be able to stop the cards or money being taken if it is still yet to happen.
As discussed, the consequences can be significant. However, there are ways you can protect your care service:
Being vigilant to phishing emails and knowing what to do if you do receive one and even what to do if you become a victim of one is extremely important.
To find out about Nourish’s data security management take a look at our blog.