New regulations, new technologies and the sheer quantity of data stored by the UK’s healthcare sector means the industry is constantly vulnerable to potential cyber-attacks, writes Alyn Hockey, pictured, VP of Product Management, at data loss prevention product company Clearswift.
In fact, a recent Clearswift survey found that in the last year, 67pc of healthcare organisations in the UK have suffered a cyber security incident. To provide excellent patient care, the healthcare sector needs to ensure that its cyber security strategy is robust enough to thwart potential threats and minimise risks to the efficiency of its operations. The first step in this process is understanding where the threats come from and taking actions to mitigate them.
Third-party threat
Widespread use of third-party devices, such as removable media like a USB stick, or an IoT device connected to the network are hard for IT security teams to keep track of, especially given the complexity of healthcare networks. The critical nature of securing these devices is demonstrated by the fact that in the last year, almost half of all healthcare cyber incidents have been the result of malware or viruses introduced to the network by third-party devices. Healthcare organisations must accept that endpoint security is one of the biggest threats and put technology in place to protect it.
Employee responsibility
Healthcare organisations must embrace the vital role each employee plays in cyber security and understand that it’s no longer the sole responsibility of the IT team. Some 37pc of incidents in the sector in the last year were caused by employees not following protocol and data protection policies. Just this month, a hospital administrator was sacked for remotely accessing the internal network of the Royal Stoke hospital at home, something he was not authorised to do. The administrator accessed almost 9,000 heart scan images in the process, potentially putting patient confidentiality at risk. Of course, many of these incidents are unintentional, but healthcare organisations must improve their employees’ understanding of the policies they’re meant to adhere to.
User error
We’ve all sent emails to the wrong person. A second’s lapse in concentration and your Excel sheet containing stakeholder contact details has gone to ‘the wrong Dave.’ Research has shown that over a third of breaches within the healthcare sector occurred as a result of employees sharing sensitive data with unauthorised recipients. Accidents happen, but these statistics show just how easily the click of a button can put an organisation’s compliance at risk.
A cyber-aware culture is needed to ensure all employees know what is at stake. Under GDPR rules, sending patient data to an employee or supplier without access authorisation can put the organisation at risk of receiving a fine of up to 20 million euros or 4pc global turnover (whichever is larger). Healthcare organisations must ensure all employees are educated and understand the policies in place. Handling data securely is key to a healthcare organisation’s credibility and should therefore be taken seriously on both within a specific organisation, and within the wider industry.
Damage of downloading
In a similar vein, research has found that 28% of healthcare professionals saw downloading files or images a key cyber security threat. Files and images can be weaponised by cybercriminals to gain access to sensitive information, often clicked on unwittingly by employees. Once on the network, cybercriminals are free to release malware and ransomware, risking critical data and the overall running of the organisation.
It has been reported that attacks using steganography, a technique where data or malware is concealed into images, are making a comeback. To combat this, data loss prevention solutions must be deployed by organisations, which detect harmful payloads in documents and images. These solutions scan for sensitive metadata that could put a healthcare organisation at risk.
No silver bullet
The threat to healthcare organisations is impossible to ignore; in 2019 alone, breaches of the healthcare sector exposed 38 million records, putting both employees and patients at risk. Healthcare organisations must act on their responsibility of the protection of data of employees and patients alike. There is no silver bullet – a thorough approach to cyber security must be adopted and people, processes and technology continually reviewed to ensure organisations are going above and beyond to protect the important data they hold.
