- Research by NCC Group reveals vast majority of NHS have been victims of ransomware in past year
- Sophos study reveals a gap between the perceived and actual strength of IT security measures in the NHS
- Company has released advice on how to tackle the threat, including updating software and using multi-factor authentication
- Ponemon’s Sixth Annual Benchmark Study on the Privacy & Security of Healthcare Data reveals average cost of a healthcare organisation data breach is estimated to be more than £1.7m
- Illegally-purchased medical records are traded for around 50 times the amount of credit card information
- Apricorn advises trusts to enhance encryption to protect sensitive data
- And Veracode warns of vulnerability of connected medical devices
IT experts have released a list of simple and cost-effective tips to enhance cyber security at NHS trusts.
The advice follows the revelation that at least 28 NHS organisations in England have been targeted with ransomware in the last 12 months, causing serious disruption to services and, ultimately, impacting on patient care.
The figures came from a Freedom of Information request by security experts at NCC Group. The data revealed that only one of the trusts that responded to the request had not been a victim in the past year, but it had been affected in the past.
As healthcare information technology continues to evolve at an ever-increasing pace, protecting sensitive data is more crucial now than ever
This highlights the risk to healthcare operators holding a range of sensitive data on patients and employees.
In light of the findings, IT security firm, Sophos, has released advice on how to tackle the threat.
The company’s UK healthcare sector manager, Jonathan Lee, said: “Unfortunately, ransomware continues to be big news, and it doesn’t show any signs of slowing.
“We are seeing all kinds of ransomware with different tactics and technology.
“While putting IT at the heart of care within the NHS brings many gains in terms of care, it also means more opportunity for data breaches, as many high-profile public and private-sector data incidents have demonstrated.”
Earlier this year, Sophos carried out its own independent study which revealed a gap between the perceived and actual strength of IT security measures in the NHS.
In the study of 250 NHS-employed chief information officers, chief technology officers, and IT managers, 84% of respondents stated that encryption is becoming a necessity, but only 10% stated that encryption was well established within their organisation, and only 59% have email encryption.
“NHS organisations still face significant IT security issues and IT decision-makers have work to do to address gaps in their security, said Lee.
“Failure to take the necessary precautions to keep cyber criminals out, to safeguard data, and ultimately to protect patients and staff will continue to cause significant problems for NHS organisations.
“However, budget cuts and changes to working practices, such as the increase in mobile working, all present significant challenges within the sector.”
Sophos has issued its top tips for protecting systems against cyber criminals.
- Keep all software up to date: Let the software do all the work. Enable automatic updating on all security software and operating systems. Include any applications that support auto-updating, and don’t forget that mobile devices and apps need updating as well
- Use multi-factor authentication: Even if a crook gets hold of your password, they won’t be able to get into your account unless they also control the second factor. Two-step verification is good (think SMS codes), and two-factor authentication is best (think hardware token or biometric)
- Connect with care: Be suspicious of all emails you receive that contain attachments or links. Especially the ones that urge you to act right away. Phishing emails are better than ever. Take the extra time to spot anything that looks odd and even verify the communication
- Cover yourself with Next Gen Endpoint products: Add protection for modern attacks through new products like Sophos’ Intercept X. Blocking new ransomware threats based on the underlying techniques used, and allowing for comprehensive investigation and clean-up of compromised machines
Also exploring the impact cyber criminals are having on the health sector is Ponemon, which has recently released its Sixth Annual Benchmark Study on the Privacy & Security of Healthcare Data.
While putting IT at the heart of care within the NHS brings many gains in terms of care, it also means more opportunity for data breaches
The document states: “Nearly 90% of healthcare organisations represented in the study had a data breach in the past two years, and nearly 45% had more than five data breaches in the same time period.
“The average cost of a healthcare organisation data breach is estimated to be more than £1.7m.”
Illegally-purchased medical records are traded for around 50 times the amount of credit card information. Stolen data can then be used to file fraudulent medical claims, open lines of credit, or pre-emptively claim a tax refund. With compromised healthcare data in hand, cybercriminals essentially have free rein to make a profit, inflict damage, and potentially ruin lives.
Commenting on the problem, Jon Fielding, managing director of Apricorn, a supplier of hardware encryption devices, told BBH: “As healthcare providers are driven towards automation and adoption of electronic record systems, the expanding scope of interconnected networks between hospitals, remote contractors, suppliers and other external parties has the potential to create a vast and insecure architecture. This is further exacerbated by the proliferation of mobile devices expanding the security perimeter beyond the traditional firewall.”
He added: “Compliance regulations are always a challenge and continue to get stricter, particularly since the Information Commissioner’s Office (ICO), which enforces the Data Protection Act
“In February 2015 the ICO gained the power to force any public healthcare organisation to a compulsory audit, as a result of the NHS’s reputation for poor data security. On top of this, the ICO also has the ability to enforce hefty fines for data breaches.
“In May this year, two NHS trusts were fined almost £400,000 for failing to protect confidential information. Chelsea and Westminster Hospital NHS Foundation Trust NHS Foundation Trust revealed the email addresses of HIV service users, while Blackpool Teaching Hospitals published the private information of thousands of staff online.
“Healthcare organisations must comply with regulation if they want to avoid these potentially-crippling fines and other expenses associated with a breach.”
Nearly 90% of healthcare organisations represented in the study had a data breach in the past two years, and nearly 45% had more than five data breaches in the same time period
While the Data Protection Act is already in place, NHS England may be forced to change the way it treats confidential data by the European Commission's (EC's) General Data Protection Regulation (GDPR), which will replace the 1995 Data Protection Directive and is expected to come into force on 25 May 2018.
Fielding said: “Security is not as simple as just password-protecting an office’s workstations. Healthcare organisations will often have multiple types of data stored on multiple devices across numerous operating systems, accessed by a variety of users in varying locations, making data security and compliance a burgeoning challenge.
“The complexity of ensuring compliance with security and privacy-related regulations, and deciding what policies and standards should be implemented, requires solutions that explicitly address these challenges and implement the necessary security measures whilst not adversely affecting employee productivity.”
Security breaches in the healthcare sector are often a result of lost or stolen laptops, USB sticks, optical media, or genuine user error. The Ponemon study found that many healthcare organisations and their business associates are negligent in the handling of patient information. Unintentional employee actions, third-party failures, and stolen computing devices account for a significant percentage of data breaches. 36% percent of healthcare organisations named unintentional employee action as a breach cause and 41% noted that third parties caused breaches.
To mitigate these risks, healthcare providers must ensure that information across the healthcare network is only accessible to an authorised user and, that once accessed, the data remains protected.
Fielding advises: “As data travels across various networks and is stored on an ever-growing array of endpoint, storage devices, the need for strong encryption is becoming evident.
”Virtually every industry that deals with personal and/or sensitive data relies on encryption to protect that data, and healthcare providers should be no exception. Equipping portable devices with self-encrypting drives is one obvious step, but healthcare providers should go further, particularly with at-rest data on removable storage. “
“USB flash drives that are left unattended will likely lead to breaches if not protected. If an organisation does not control the USB devices they authorise for use, they face several challenges.
Healthcare organisations must comply with regulation if they want to avoid these potentially-crippling fines and other expenses associated with a breach
USB devices must be carefully controlled
“The first, and most obvious, is that they have no way of knowing the level of protection that device provides, if any. Therefore, it is incumbent on any organisation to identify a hardware encrypted device that meets both their business and technical requirements and to ensure that only those devices can be used by policy.
“Another, and more sinister, consequence of allowing unauthorised USB devices into the organisation is that one of the fastest growing methods of introduction of malware is through a corrupted USB device. This attack vector has resulted in the shutdown of Nuclear power plants and Department of Defence networks among others and should be viewed as a real threat.
“While organisations look to encrypted USB devices to ensure any sensitive data is protected on the move and at rest, they should also ensure that the firmware on the device is securely implemented in a way that it cannot be modified to launch malware attacks.
“Once a hardware encrypted device, which is securely implemented such that it cannot be corrupted, has been identified, there is potential to leverage the technology into different areas.
“With the proper data protection strategies and solutions in place, healthcare organisations and providers can share data securely, both inside and outside the organisation, manage privileged users, and comply with monitoring and reporting regulations.
“Encryption ensures that data stays protected and confidential information remains locked away from the wrong eyes.
Often, it is not a question of ‘if’ a breach will happen, but rather ‘when’.
“As healthcare information technology continues to evolve at an ever-increasing pace, protecting sensitive data is more crucial now than ever.
If a business or organisation within the healthcare industry has questions about securing data, especially when at rest or in movement between locations, a proper risk assessment should be the first step to achieving and/or maintaining compliance
“If a business or organisation within the healthcare industry has questions about securing data, especially when at rest or in movement between locations, a proper risk assessment should be the first step to achieving and/or maintaining compliance.
“On top of this, healthcare organisations must also provide proper employee training on regulations and protocols related to data privacy and security.”
The recent concerns have also led to warnings about the potential hacking of crucial medical equipment.
Johnson & Johnson recently warned that one of its insulin pumps for diabetics was at risk of hacking.
Commenting on this, Laurie Mercer, solution architect at application testing security company, Veracode, said: “While scary, it is unsurprising that yet another connected medical device has been found to have security flaws.
“Security professionals have long hypothesised about the massive threat that many new connected medical devices pose.
“No connected device is 100% secure and vulnerabilities will always be discovered.
“The security of all Internet of Things (IoT) devices must be looked at holistically so that product, and its web and mobile applications, and back-end cloud services, are all secured by default.
As we see more of connected devices entering our healthcare system, we move from solely risking our sensitive information to opening patients up to potential physical harm
“Bolt-on security creates more opportunities for vulnerabilities to fall through the crack, so it’s essential that we see application security playing a more-prominent role in the development cycle.
“As we see more of connected devices entering our healthcare system, we move from solely risking our sensitive information to opening patients up to potential physical harm.
“It’s essential that we see a greater focus on cybersecurity within the healthcare industry to ensure that any connected devices – whether that be a drugs pump, MRI device, or a data-capturing application – are built in a way that best protects patients and their data.”
