Ever since WannaCry, healthcare organisations have been dealing with mounting pressure to protect themselves against a more sophisticated level of cyberattack. As an industry, healthcare deals with highly personal and sensitive patient information. Unlike other customer-facing service providers like banks, that can sometimes destroy sensitive data after a certain period of time, healthcare providers are often required to retain confidential data for significant lengths of time.
Hospitals store troves of patient records, research centres amass volumes of personal clinical data, and health clinics can hold onto an individual’s personal information for the course of a lifetime. The thought of any of this information being up for grabs to motivated hackers should be enough to make any organisation realise that serious action must be taken.
To an industry that plays such a crucial role in society, the fallout from the WannaCry outbreak is devastating. The UK Centre for the Protection of National Infrastructure classifies health as one of 13 crucial national infrastructures – a service that is necessary for a country to function and upon which daily life depends – and the impact of the 2017 cyberattack on the NHS showed just how unprepared the healthcare industry is.
Email: the mission critical tool
The domino effect of previous attacks has led to a lack of trust in the healthcare sector. PwC’s 2017 UK healthcare sector survey, Patient’s Voice, revealed that less than half of the UK’s adult population (49%) think their health records are safe being stored in an online system. These systems, and in particular email, are deemed mission critical to most organisations today, healthcare practices being no exception, which makes it especially worrying that, in 2017 the Information Commissioner’s Office (ICO) found ‘data sent to incorrect recipient’ to be one of the leading causes of data loss.
With personal and highly sensitive patient information at stake, it’s even more worrying that the humble misaddressed email continues to pose the biggest data loss risk today. The danger of unintended recipients receiving sensitive information, or employees becoming susceptible to vicious phishing scams, increasingly compounds the need for more stringent email security practices.
>See also: The comprehensive IT security guide for CIOs
While email is the weakest link in an organisation’s armour – susceptible to malicious attacks or simple employee mistakes – security teams can help bolster this weak point by implementing more effective security frameworks. According to the ICO report, there was a 22 percent increase in reported health data incidents since the previous year.
The three main reported breach types were: data posted or faxed to an incorrect person; data sent by email to incorrect recipient; and loss or theft of paperwork. This just goes to show that sophisticated code is not always to blame for bringing a company to its knees; relatively simple email errors can too. Fortunately, there are several ways that organisations can mitigate this potential damage. They fall into two separate categories; education and technological change.
Employees are a security risk to any organisation. It can take just one email to the wrong recipient for data to be lost, and a similar single click to open a virus-infected attachment. Educating employees on online security best practices should be at the top of any organisation’s to-do list, particularly those dealing with high volumes of sensitive information, such as in healthcare.
Most healthcare professionals receive yearly training when it comes to medical practices, and even repeat training on the “basics” such as CPR. The healthcare industry should treat information and email security training and awareness with heightened importance, as a damaging data breach or cyber-attack can cripple a hospital, potentially putting patient lives at risks.
From a technological point of view, organisations need to accept that employees will make mistakes and therefore safeguards should be in place. However, when it comes to securing email communications, many organisations tend to over-rely on legacy, rule-based security platforms. Unfortunately, they just aren’t effective. Incumbent email security platforms aim to address data loss over email by allowing organisations to set basic rules to control the flow of sensitive information.
This yields many headaches for IT teams, and businesses as a whole. For example, a simple rule may dictate that sending messages to free email domains (Gmail, Yahoo etc.) is not allowed. However, many legitimate professionals use these domains for business, and blocking them would require additional rules to be created to allow communication with particular, free-mail using clients. It would be near impossible to effectively catch genuine unauthorised emails with a rule-based approach.
For this reason, machine learning is crucial. When applied to securing email communications, it can analyse sending patterns on an organisation’s network, and automatically identify whether an email is being sent to an unauthorised account and, if so, how sensitive the email is. Machine Intelligence systems can combine natural language processing and machine learning to detect emails that are a source of data loss (such as misaddressed emails) or a data security threat (such as emails to unauthorised accounts). This is something rule-based approaches cannot do.
Furthermore, legacy email security platforms require immense administration from IT teams and disrupt employees’ workflow. With IT administrators spending a large portion of time filtering through false-positives caused by rule-based systems, they could miss out on other potentially damaging security problems.
By analysing historical email data to understand conventional sending behaviours, smarter email security platforms can lessen the administrative burden on IT teams, lessen disruption to employees, and most importantly, significantly reduce data loss and security breaches.
Sourced by Tim Sadler, Co-founder & CEO at Tessian