In this article, Tony Yeaman, partner and head of healthcare at Weightmans, looks at cyber security in the healthcare sector
There is now widespread acceptance of multiple threats to the UK healthcare sector from criminal cyber attacks and a real concern that the NHS is not responding quickly enough to these significant new threats posed by highly-advanced targeted hacking by criminal individuals or gangs.
While the NHS has a long-running problem with the careless or inadvertent release or loss of patient data, these new threats are of a different order of magnitude. One only has to look to the USA where one healthcare insurer lost over 70 million records in a concerted cyber attack. The sheer scale of the loss is amplified when it is digital, rather than paper, data that goes missing.
While the NHS has a long-running problem with the careless or inadvertent release or loss of patient data, these new threats are of a different order of magnitude
All this when there is a strong drive to move towards a paperless NHS and the increased use of digital devices including smart phones and tablets. The increasing use of these mobile devices, together with greater reliance on networked computer systems, all of which have become indispensable, provides a widespread vulnerability to cyber attacks. These matters are further exacerbated by a spate of hospital mergers with data being accessed and stored across a variety of different networks, many of which are often not properly integrated, at a time when there is a need for significant budgetary saving.
It is essential that the NHS recognises this new and growing threat and its vulnerabilities and seeks to address it with better security and governance, and importantly training, to ensure it can protect its most-sensitive data.
It is clear both from the US and European experience that healthcare is one of the most-popular targets for cyber attacks. Thus one of the most-significant challenges faced by the NHS in the 21st Century is striking the balance between preserving the confidentiality and security of people’s personal data while maintaining the appropriate flow of information required for better healthcare.
It is estimated that this type of crime could be costing $6 billion annually in the US. A UK-based report estimated the annual economic cost of cyber crime to the Government at £2.2 billion.
Patients’ health information often contains much sensitive data - full names, date of birth, addresses and sensitive medical details. Iit has a high value to criminals as it can be used to facilitate large-scale identity fraud and is said to sell on the black market for up to 20 times more than credit card details.
While in the UK there have been no reported major cyber attacks on the NHS so far, the NHS has topped the list of organisations with serious data breaches. It has cumulatively been fined over £1.3m by the ICO for loss, rather than theft of, sensitive information. The ICO was recently granted new powers to conduct compulsory audits on NHS systems. Protecting the security of data within the healthcare sector is therefore a top priority. It was reported that in 2014-2015, 81% of large organisations in the UK had suffered a cyber security breach.
The importance of this topic is demonstrated by the Health Secretary’s acknowledgment that effective cyber security and risk management are of critical importance to the sustainability of the NHS and of a growing threat of criminal and malicious activity.
The risks include the potential to disrupt healthcare provision, all of which can adversely affect public trust and confidence. The Health Secretary has asked the CQC to review the effectiveness of current approaches to data security by NHS organisations in handling patient confidential data and to make recommendations on how new guidelines can be assured through the CQC inspections.
It is essential that the NHS recognises this new and growing threat and its vulnerabilities and seeks to address it with better security and governance, and importantly training, to ensure it can protect its most-sensitive data
The level of exposure was highlighted in a recent FOI request, which showed an alarming lack of awareness of cyber security within the NHS. It indicated that up to 70% of NHS trust staff admitted to using smart phones or tablets in the workplace, including their personal ones; yet a similar number of trusts acknowledged they either had limited or no training programmes in place at all to educate staff on how to safeguard information when using these devices.
As a further response to this threat, in September The Health and Social Care Information Centre, commissioned by the Department of Health, launched an ‘emergency response team’ to help NHS bodies affected by cyber crime. The Care Computing Emergency Response Team (CareCERT) will aim to enhance cyber resilience across the health and social care system. Importantly, it will support incident response and establish a strategic cyber risk oversight capability providing situational awareness, monitoring of active risks and early mitigations.
NHS boards should urgently address cyber security as a strategic management issue. While CareCERT will be a valuable resource providing best-practice guidance supporting organisations to keep their data safe and secure, ultimately it is a matter for individual bodies to ensure compliance, ensuring there is clear oversight and direction at board level, clear policies and effective training, understanding what your organisations response capabilities, recovery and resilience are to such a threat.
So are you able to confirm you have plans and capability in place to respond to cyber incidents? Are you promoting the use of secure networks and systems and security awareness training among employees? What actions are you taking to develop a comprehensive security programme to ensure quality response and timely recovery from a data breach in your organisation?
If you cannot answer all of these questions positively then now is the time to seek help.
