Blogs, Secondary Care

Opinion piece: Defusing healthcare’s data security ‘timebomb’

By Bill Mann, SVP of products and chief product officer, Centrify

According to the National Audit Office (NAO), the NHS could have prevented the WannaCry ransomware attack that led to the cancellation of at least 6,900 appointments. The report found it had failed to follow cybersecurity recommendations made in 2014, leaving systems exposed to hackers. The NAO chief has called for the Department of Health and NHS to ‘get their act together’.

Two-thirds of consumers say they trust healthcare providers to protect their data, according to a study from Ponemon, while only a quarter trust credit card companies. This confidence appears to be misplaced: healthcare organisations account for 34 per cent of all data breaches, while financial organisations account for only 4.8 per cent (IRTC Data Breach Report).

Every healthcare provider has a duty to ‘get its act together’, and close the gap between reality and consumers’ expectations. If they don’t they will compromise the safety and privacy of patients, while risking significant damage to their reputation and financial strength.

The impact of a data breach

Half of all consumers have been notified by a company that their personal information has been lost or stolen as a result of a data breach, according to Ponemon. Sixty-five per cent lost trust in that organisation, and one in four severed their relationship with it.

The same study found that the stock value of 113 companies declined an average of five per cent the day a breach was disclosed, resulting in millions of pounds of losses. They also experienced up to a seven per cent customer churn.

A soft target?

Healthcare organisations are a prime target for cyberattacks because of the lucrative personal identifiable information (PII) held in patient records, which can be used for identity theft. The industry is also perceived as easy to infiltrate due to having rather weak security technologies and processes.

The main cause of healthcare breaches is unauthorised access or disclosure, resulting either from insider threats – employee error, negligence or criminal activity – or external threats, in the form of hacking, skimming and phishing. Taking a broad view across all sectors, 81 per cent of breaches involve weak, default or stolen passwords, according to Verizon.

A shot in the arm

Mobile working, complex supply chains and the use of cloud services mean organisations no longer have a ‘boundary’ around their data. As a result, traditional security measures fail to safeguard against breaches, so they must rethink their approach. This is particularly vital in light of the General Data Protection Regulation (GDPR), which will impose huge fines on organisations that don’t take adequate steps to secure EU citizens’ personal data.

With so much at stake, cybersecurity can no longer be viewed as an IT problem. It’s a business problem – and senior executives must be involved in developing and implementing a holistic security strategy designed to protect patients, brand credibility, customer loyalty and profits.

There are a number of best practice steps a healthcare organisation can take to strengthen its security posture.  

Appoint a dedicated chief information security officer (CISO). It’s their role to educate the board in the merits of investing in appropriate security defences.

Invest in people and technologies. Allocate adequate spend on skilled staff and up-to-date security enabling technologies. Access is healthcare’s Achilles heel, so implement an integrated identity platform that will manage, monitor and protect privilege access and credentials for all users, applications, endpoints and infrastructure.

Plan for the worst. An effective data breach preparedness plan is critical. This should include procedures for communicating with investors and regulators.

Adopt a ‘zero trust’ position. Assume that the network is compromised. Base decisions about granting or preventing access to systems or services solely on what you know about the individual user and their device, and whether they are authenticated and authorized.

Build a culture of security awareness. Training and awareness programmes will increase employees’ understanding of the risks and threats, and get everyone working together to protect information.

Carry out regular vulnerability audits. Assessments will identify any security holes in a computer, network or communications infrastructure, so they can be addressed.

Participate in threat sharing programmes. Similar organisations are often targeted by the same threat, so collaborating with companies you trust can offer a better and faster way to prevent and detect attacks.

Patient information is becoming more valuable and attractive to cyber criminals: the number of records breached this year are on track to top 2016 totals. A comprehensive security strategy is the only way to defend the organisation against attack, and ensure the confidentiality, integrity, availability and resilience of systems and services.