The British government is actively pursuing its ‘digital by default’ programme across many parts of the public sector. But despite the clear benefits of digitisation, the question of data security has consistently provided a conundrum.
In no sector has this been as true as the health sector, where the government’s Care.data programme continues to find challenges in getting off the ground. As recently as December 2014, the NHS Watchdog raised 27 questions about the programme, challenging issues such as how GPs would meet their legal responsibilities to comply with the Data Protection Act, which would need to be addressed before the programme is implemented.
The delays in national digitisation programmes are not surprising as the threat to sensitive patient data becomes increasingly clear. The attack by Chinese cyber-military units on American healthcare provider Community Health Systems, in which the personal data of 4.5 million patients was stolen, demonstrated that cyber-attackers are actively targeting healthcare providers to steal personal identities and personal health information for sale on the dark web. Another motive is to blackmail particular individuals by threatening to reveal sensitive details about their medical conditions.
But data security in healthcare goes much deeper than just building it into large-scale digitisation schemes, like Care.data. One of the threats to data security currently facing the NHS is the threat of the insider – even when the employee’s actions are completely unintentional. For example, many healthcare workers simply don’t know that they could be risking their organisation’s sensitive data by downloading a fake Flappy Bird’ app onto their smartphones.
The use of mobile devices like laptops, smartphones and tablets have become indispensable in nearly all sectors of work, whether provided by work, bring your own device (BYOD) or choose your own device (CYOD).
However, with the benefits of mobile working comes a new attack vector for cybercriminals. With cyber-attackers increasingly targeting vulnerabilities in mobile applications, it is essential that heath trusts and hospitals are taking the necessary steps to lock down these new entry points.
But despite the significant threat that cyber-attackers pose to health data, research by Veracode found that some NHS hospitals and trusts are not only significantly increasing their cyber-security spending, they are also spending it more intelligently to mitigate new and emerging risks.
Yeovil District Hospital NHS Foundation Trust, for example, has been making significant investments to protect patient information. As part of the meaningful fivefold increase in its cyber-security spending over the past two years, over £54,000 has been invested in mobile device management (MDM) technology since 2013. MDM policies reduce the risk of data breaches by preventing malicious apps from being downloaded onto mobile devices, thereby helping to prevent the theft of sensitive patient data.
It’s encouraging to see hospitals such as Yeovil NHS Trust move away from the ‘all we need is a firewall’ mentality, and into the age of thoughtful cyber-security investments that address new attack vectors such as mobile applications.
The next step for hospitals, and indeed all organisations that are making these inroads, is to simply shout about it more. The industry needs beacons of best practice to show that cyber-security measures are a worthy investment that securely enable digital innovation, helping over-stretched staff and improving the overall patient experience.
Care.data has a challenge ahead – not only to answer all the queries of the NHS Watchdog, but also to convince the wider public that it can be trusted with protecting their data.
With the on-going cycle of cyber-attacks by organised criminals and nation states, it’s never been more important to celebrate NHS trusts and hospitals that are making the right decisions to keep their data safe. Demonstrating that the NHS does understand the new threat landscape, and is acting thoughtfully, is the first step in enabling all of us to participate and trust in the new age of digital healthcare.
Sourced from Chris Wysopal, Veracode