More than 113 million patient records were stolen from hospitals and healthcare facilities around the globe as a result of security failures and cyber attacks in 2015. With IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) that year were from the health sector.
These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.
Notable cyber attacks and security breaches in the healthcare industry
In October of this year the North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated while the threat was dealt with.
In 2015, the 56 Dean Street HIV clinic released email addresses of 781 patients while sending out its monthly newsletter. 730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.
Also in 2015, the NHS-approved online pharmacy company Pharmacy2U sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.
Why is the healthcare industry under attack?
Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.
Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”
The National Data Guardian report reviewing data security for the health and care industry found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology, and that those people may be unaware of their responsibilities.
How to stop these attacks
Step 1: Cyber Essentials certification
Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber attacks, improving cyber security and preserving the reputation of the healthcare industry.
Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously, and – by choosing a CREST-accredited certification body like IT Governance – that the cyber security status has been independently verified by a third-party vulnerability scan.
To help companies of any size and with any level of information security competence adopt the Cyber Essentials scheme, IT Governance has developed three packaged solutions to choose from. With the CyberComply online portal, all companies can be in full control of their certification process, assisted by IT Governance’s experienced consultants.
Step 2: ISO 27001
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.
To help healthcare companies of any size and with any level of information security competence adopt the ISO 27001 standard, IT Governance has developed a range of packaged solutions to choose from. Each fixed price solution is a combination of products and services that can be accessed online and deployed by any company in the world.