IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) year were from the health sector.
These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.
Notable cyber-attacks and security breaches in the healthcare industry
October 2016 North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated whilst the threat was dealt with.
56 Dean Street, an NHS HIV, clinic released email addresses of 781 patients while sending out its monthly newsletter. 730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.
NHS-approved online pharmacy company, Pharmacy2U, sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.
Why is the healthcare industry under attack?
Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.
Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber-criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”
Reviewing data security for the health and care industry has found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology – and that those people may be unaware of their responsibilities.
How to stop these attacks
Step 1: Cyber Essentials certification
Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber-attacks, improving cyber security and preserving the reputation of the healthcare industry.
Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously. Amicus ITS works with CREST approved, cyber security organisations to ensure that your status has been independently verified by a third-party vulnerability scan.
Step 2: ISO 27001
ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.
Step 3: Protect your perimeter
With threats and threat actors continuously evolving there is a real need for intelligent perimeter protection as well as innovation with password and identity management. At Amicus ITS we are happy to provide advice to help ensure your data is as secure as possible.
Amicus ITS specialist information governance and security division, provides services to support NHS and public sector organisations. Our client base is substantial and includes corporations of all sizes. We believe our success in winning and retaining clients is due to Amicus ITS’ deep and ongoing understanding of N3 compliance requirements in the UK.