During COVID19, hacks to medical data increased significantly. In fact, in the UK during the first month of lockdown, there was a 400% increase in scams.
Healthcare institutions have been hit harder than most by the rise in cybercrime. Verizon reported that worldwide, confirmed data breaches in healthcare rose by 58% in 2020.
But even prior to COVID, healthcare has always been highly targeted for cybercrime. The ICO’s 2018/19 Data Security Incident Trends report stated that data breaches were amongst the highest in the health sector, with the industry suffering 15% of all breaches nationwide.
So why is healthcare data so valuable?
There are two main reasons medical data is targeted with such high frequency:
- Relative ease of access
- Data rich information allowing for extended criminal opportunities
Relative Ease of Access
The medical sector has fewer fraud detection systems in place than other sectors. Past data shows there is chronic underinvestment in NHS IT services. According to the BMJ, “Many NHS organisations spend as little as 1-2% of their annual budget on IT, compared with 4-10% in other sectors.”
This means that detecting breaches is often an arduous process, resulting in leaks and misuses of healthcare data taking months, or even years, to detect. Compare this with credit card or bank fraud and it is a very different story. Sophisticated artificial intelligence in the financial sector means attempted breaches are detected exceptionally quickly, and more often than not, prevented. In cases where fraud is successful, banks almost always refund money. Crucially, once a bank card is cancelled, further crimes can be prevented.
Data rich information allowing for extended criminal opportunities
Unlike bank card information, the information on medical records is largely unchangeable. As such it can lead to exposure to cybercrime for several years.
A patient’s name, date of birth, address, GP, medical history, employment history, and prescription information can be used to create false identities, commit health insurance fraud and illegally obtain prescription drugs or medical equipment.
This increased opportunity for crime means a hacker can sell this data for a large return on the dark web. According to a number of reports*, stolen records sell for between £190 – £760 each compared to just £3-8 for credit card information. From a hacker’s perspective, the ROI is much higher for healthcare data than bank account data.
How can you prevent your organisation’s medical data getting into the wrong hands?
There are many processes that an organisation can put in place to secure data, but the below elements are crucial for organisations of all sizes.
1. Cyber security training for all staff: 95% of cyber attacks are due to employee error/lack of security awareness. Making staff understand that cyber security is an important function necessary for them to effectively do their jobs will decrease the likelihood of cyber attacks from successfully penetrating systems by a large margin. Remember this includes clinical staff – not just those in data protection and admin roles.
Note – To comply with the NHS Digital Data Security & Protection Toolkit (DSPT), there is a requirement to confirm that staff receive a ‘minimum’ level of data security & awareness training every year.
2. Update software and security: It is essential that software is regularly updated to the newest feature to prevent the likelihood of cyberattacks from occurring. These updates will also help you encrypt your information and update security flaws.
3. Regularly backup data: Backing up data stored will prevent critical time and important information being lost due to ransomware attacks, time that is essential to treating patients.
Tip – When is the last time you tested a backup works? – Try it, restore something (be careful you do not restore it back over your current live area).
4. Data Protection or Information Governance Audit. Identify security risks and operational weaknesses within your organisation and put effective measures in place to safeguard information.
5. Implement a response plan to a cyberattack: Train staff to respond to cyberattacks appropriately so that a proper response procedure is in place. Practising simulated phishing attacks is also helpful to prevent cyber leaks from occurring & networks being infiltrated.
6. Stronger passwords: Organisations must ensure that their employees are using different strong passwords for each login. These passwords should be regularly changed & employees must avoid using easily predictable passwords like common words & names associated with the company or healthcare as a whole. Sharing passwords internally must be avoided to eliminate the possibility of unauthorised users accessing data they shouldn’t.
Tip– change to using passphrases or use a password manager tool that auto-generates passwords.
7. Consider Penetration Testing. Pen testing by a third party helps your organisation find out where it is most likely to face an attack and proactively bolster any weaknesses. It creates real-world scenarios to demonstrate how your company would fare if confronted with a full-scale cyber attack.
Viewing cyber security from the perspective of a hacker helps to cement the reasons why adequate data protection is so vital in healthcare. In 2022, the ever-escalating challenges make data security more important than ever. But with the right knowledge, tools and data, we can even the odds a little.