In 2018, 351 data breaches of medical records were reported in the US, resulting in the over 13 million patient records being exposed to hackers. This figure is more than double the number of patient records hacked in 2017, demonstrating the sheer scale of the problem. The risk of increasing numbers of attacks is set to continue to rise, with more health data being moved online.
The US is not the only country to be suffering from cyber-attacks in a health setting. During the WannaCry ransomware attack, more than150 countries globally were affected, including the UK where the National Health Service (NHS) was worst hit. The NHS provides healthcare free at the point of access for 65.4 million people, this single attack led to 19,000 appointments being cancelled at a cost of £20 ($26) million. The WannaCry attack demonstrates the cost of these breaches to organisations, which are only set to increase with the US government imposing fines of up to £13 ($18) million if personal data is at risk.
So, what can organisations do to limit the threat of attack?
In the WannaCry example, outdated IT systems were blamed as hackers used a vulnerability in an old version of Microsoft Windows. Poor IT infrastructure is a clear risk for businesses. CIO’s need to take on the role of developing a business case, to make the business resilient to attacks and, persuade individuals at all levels, that cyber security is a priority.
The attacks we have seen so far have caused huge disruption however they have often been quite basic in nature. Hacking techniques are becoming more advanced, causing cyber security experts to engage in a 24/7 game of cat and mouse. To stay one step ahead, the UK Government’s cyber agency (GCHQ) recently announced it was setting up an office and cyber accelerator in Manchester to develop the next cutting edge cyber technology. Clearly with the momentum of both attacks and detection and prevention techniques being developed, businesses need to keep an up to date knowledge of the innovations happening in this arena to protect health data.
Investing in secure IT systems and keeping software up to date are obvious ways of limiting risk however, there is a human element of hacking which needs to be addressed. In the Wannacry example the OS provider had sent a patch the fix the vulnerability although many individuals did not download it. In another example, US based Unity Health was hit by one of the biggest data breaches of the last 12 months with hackers gaining access to 1.4 million patient records. The source of the breach: a phishing email sent from a colleague which several employees clicked on.
There are many ways to reduce the risk of employees either carelessly or maliciously giving hackers a backdoor into company data. Ensuring all employees receive cyber security training at regular intervals should be the bare minimum. Sending test phishing emails can be used to reinforce training and, identify staff who require further knowledge.
Pre-employment screening can reduce the risk of hiring employees with malicious intentions by looking for example at previous criminal convictions. It should be noted however that a study found only 6% of 120 serious cases involving malicious insiders were employees who joined the company with the intention of sharing data. The overwhelming majority involved employees who had become disenfranchised with the organisation. Making employees feel valued and, managers leading by example are two of the biggest steps health organisations can take to help employees become assets rather than threats.
Where is the best place to innovate with cyber security in health?
Manchester is an emerging hub for cyber security and an established hub for life sciences. It is a city at the forefront of health data and therefore the cyber security requirements around protecting this data. Not a city to rest on its laurels, last year, Manchester University Hospitals NHS Trust, the largest in the UK, advertised a £400 ($525) million tender to move to a fully integrated electronic patient records system. This investment will see the trust join locally based Salford Royal Hospital which is currently the only fully e-enabled NHS trust in the UK and a global digital exemplar.
In the cyber security space, a recent investment from Government Communications HQ (GCHQ) has put Manchester at the heart of UK security. Outside of healthcare, Manchester’s diverse ecosystem, which includes the UK’s largest regional financial and professional services sector, a vibrant e-commerce hub and industrial base that is embracing digital solutions, offers cyber companies a wealth of opportunities including access to expertise, research, market opportunity and talent.
Representatives from Manchester will be attending HIMSS 2018 in Orlando. If you would be interested in joining over 160 biomedical companies based in the city please click here to connect with the team.
