The health sector is suffering from a cyber security open wound – it is fast becoming one of the most highly targeted sectors for cyberattacks and data breaches. Traditionally, the financial services industry was the main target for cyber attackers but many organisations have since bolstered their defences.
With the Information Commissioner’s Office (ICO) handing out an increasing number of penalties and fines for data breaches in the health sector, the often out-dated, compliance-based frameworks are no longer enough to deal with today’s more sophisticated, targeted and persistent cyber threats. Traditional operational resilience arrangements, which were more often geared to dealing with physical threats, are also no longer enough.
The legislative and regulatory landscape is also changing, with the new European Union (EU) General Data Protection Regulation (GDPR) due to come into force in 2018 which will increase the maximum penalty for data breaches.
NCC Group recently carried out a Freedom of Information (FOI) request, which revealed that 47% of NHS Trusts in England have been hit by ransomware in the past year. This form of attack restricts access to systems in some way, often by encrypting files and then demanding a ransom to obtain access. With NHS Trusts holding a range of sensitive data on patients and employees, a piece of ransomware could cause serious disruption to services and ultimately impact patient care.
Worryingly, cyber threats are not limited to external hackers and criminals gangs. In the NHS, many breaches occur as a result of some sort of accident or incident on the inside. This could include sending personal health data to the wrong place, individual, or emailing third-parties; the loss and theft of paperwork; loss and theft of unencrypted devices; or a failure to redact third-party data in documents before release.
Despite the widely reported and significant repercussions of a cyberattack or breach, the healthcare sector still lags in terms of its preparedness for cyber threats.
What makes the health sector so vulnerable to cyberattacks?
NHS trusts and healthcare organisations potentially hold one of the largest pools of aggregated personal sensitive details in the UK, including National Insurance numbers, date of birth, height, weight, descriptions of physical appearance and any health conditions. Healthcare insurers and hospitals in particular, can often be an almost completely unguarded “data treasure chest” to hackers.
This data is a valuable commodity to trade on the black market, much more so than financial information alone, and could be used extremely effectively by fraudsters to commit identity fraud, or even blackmail victims. Healthcare organisations also develop a great deal of intellectual property through research and development, the invention of medical devices, new forms of treatment and test data.
The NHS has spent almost three decades investing in digital technologies to automate processes, support clinical care and increase the accuracy of medical records. Furthermore, use of big data analytics and new technologies has considerably changed the way health data is being used, accessed, analysed and shared between healthcare professionals. However, these advancements are often meshed with outdated and vulnerable systems. In addition, the melting pot of connected mobile devices also makes the health sector a frequent target. Recent reviews of the resilience of medical devices in the US have pointed to widespread failure to protect equipment like such as drug infusion pumps, defibrillators, X-ray machines and electronic patient record systems from remote manipulation. Medical devices are now exposed to the same security threats as any other IT component. Yet, defences of these devices, as well as their integrated ecosystems, are far less mature.
Despite these threats, NCC Group’s recent research has revealed that board and executive management teams in healthcare organisations still see cyber security as an IT-level issue rather than a board level risk. Many executives still struggle to understand ‘the cyber threat’ and how it could potentially impact their organisation. Furthermore, cyber security training is still handled as a tick-box exercise to satisfy wider compliance requirements, rather than addressing fundamental skills and knowledge gaps to reduce the likelihood of a major data breach.
NCC Group also found that on a maturity scale of one (initial) to five (optimised), most NHS Trust Cyber Incident Responses (CIR) struggled to achieve a score of above two (defined). The research also revealed that there was also a lack of formalised, documented CIR policy and no formalised method for classifying or prioritising cyber incidents based on severity or impact. There was also a lack of cyber incident scenario planning and table top exercises for senior management.
What is at stake?
The consequences of cyberattacks are no longer limited to IT systems alone. As we have seen with recent high profile breaches, they can also impact reputation and confidence and lead to potential regulatory or legal ramifications. The ICO is now taking data breaches in the health sector very seriously and we have seen some NHS Trusts being fined in excess of £150,000.
How will the GDPR change things?
The health sector is responsible for controlling and processing a significant amount of personal data, not just in terms of the provision of care, but also in terms of research and employment. From 25th May 2018, all organisations collecting and processing personal data in the EU will have to comply with the GDPR. All organisations processing health data will need to review their existing policies, procedures, and practices to ensure compliance.
The new regulation also requires organisations to notify the data protection authority of a breach within 72 hours, as well as requiring them to conduct a Privacy Impact Assessment (PIA) prior to processing high risk personal data.
Establishing a cyber security risk management programme
Unless cyber security becomes a priority for both national and local health organisations, there is a real risk that high-profile incidents – which will happen and will become public – have the potential to very severely dent public confidence. With compliance requirements and fines looming, it’s now more important than ever for healthcare organisations to start implementing formal cyber security strategies. The key priority for healthcare organisations between now and when the EU GDPR comes into effect will be ensuring steps are in place to minimise the impact of breaches and ensure that when things go wrong, everyone involved knows what to do.
Planning and implementing a cyber security risk programme is one way for healthcare organisations to mitigate the risks associated with cyber threats. An effective programme should cover people, processes and technology and should be part of the organisation’s overall risk management strategy. It should also include initiatives for prevent, detect, respond and learn measures, as shown in the diagram below.
Cyber security training and awareness should be tailored according to job role and function. For example, a software developer should receive a different level of secuity training compared with a clinician. Cyber security awareness among staff should also be regularly measured, and cyberattacks need to be handled by a specially trained team who understand the implications and can react in the correct manner.
There is no doubt that cybercrime is on the rise, and the threats are evolving. But if the healthcare sector is to remain resilient, organisations need to accept this and plan accordingly in order to protect themselves, their staff and most importantly, their patients.
Haroon Malik, principal consultant at NCC Group