This year has seen some significant IT security breaches in both the public and private sectors. From the WannaCry ransomware attack on the NHS to smaller, but no less distressing, attacks on private medical practices, these stories have received heavy media coverage. As a result, it’s likely that public awareness of these kinds of cyber attacks has increased and that patients will quite rightly expect clinics to have effective IT security systems in place to protect their data. This week, we’ll be taking a look at why hackers target medical information, and what practitioners should be doing to make sure their practices are safe.
Why is personal medical data so valuable?
Hackers target healthcare organisations for a number of reasons. For a start, large healthcare organisations – such as the NHS – are considered an easy target due to the sheer number of email accounts associated with it. In addition to this, the type of personal information held by these companies and organisations can be used to demand a hefty ransom. Earlier this year hackers stole over 25,000 photographs, and other personal information such as passport scans and National Insurance numbers, from the database of a Lithuanian cosmetic surgery clinic. The ransom demanded was up to €2,000 (in bitcoin). This information can also command a high price on the black market. “On the black market, medical record information can cost up to 50 times more than credit card information,” says David Schluter, Managing Director at Fluid IT . “Unlike credit card information, it can’t be changed easily and can be key in staging ID fraud,” he continues. “It can be used in a broad range of fraud; fake insurance claims, financial fraud, and cyber criminals can even use it to purchase drugs online and then sell these on the black market.”
How can practices improve IT security?
There are many things practices can do to improve IT and data security, and education is a huge part of this.
“Medical practice staff need to really understand the value of this kind of data,” says Schluter. “It’s important to take data security very seriously as the risks can be enormous, but there are many excellent resources available to help managers support and educate their staff.” There are frameworks and toolkits available through online sources such as the ICO, or Cyber Essentials, all of which can guide the development of company policies and training. These resources can also help prepare staff for the enforcement of new data protection regulations next May (the EU’s General Data Protection Regulation).
In addition to this, there are other ways to improve IT security:
- Communicate regularly with staff regarding potential threats. For example, discuss how to spot suspicious links from unknown sources, explain the impact an attack could have on the practice, and emphasise staff obligations in relation to company equipment.
- Cyber liability insurance will provide cover for various scenarios; mandatory data breach notifications, investigating an incident, notifying data subjects, legal costs and regulatory fines.
- Work together with law enforcement agencies. This will help to disrupt hackers’ plans, and sharing threats and vulnerabilities means that others can benefit from this information.
- Encrypting emails and documentation containing personal information. “Devices should also be encrypted,” offers Schulter. “This offers an additional layer of protection, and makes it much harder for criminals to steal information. However, an encryption expert should be consulted before a practice implements this to ensure it has been designed in a way that suits the business.”
Beyond cyber crime
Cyber criminals are becoming more effective and more organised, so it’s a good idea to think beyond the capabilities of your IT systems to combat the threat. An all-inclusive approach to IT security is required. Secure systems need to be backed up with policies and procedures, so staff know what their responsibilities are in terms of data protection and security.
The risk of security breaches does not only come from cyber criminals, as a prestigious US cosmetic clinic found out earlier this year. A member of staff stole as many as 15,000 medical records, including medical photographs. Whilst the team member’s actions are now the subject of a police investigation and it is not clear what became of the information, this case goes to prove that data safety is not just a matter of having the most up-to-date antivirus software in place.
Cyberattacks are unfortunately not preventable, and it is sadly a threat that all companies – not just those in the healthcare sector – face. They can affect thousands of people (this year’s major WannaCry attack impacted around a quarter of a million computers across the globe) and can disrupt vital services. It’s crucial for anybody working in the healthcare sector to recognise this danger, and working in line with their organisation’s IT policies can help to minimise the risk of being hacked.