The National Health Service (NHS) and associated organisations are a lucrative target for cyber hackers, with reports suggesting that medical records are 100 times more valuable than stolen credit card details.
Ransomware attacks are also rampant in the healthcare market because much of the sector relies on up-to-date information to function. With patient care potentially at risk if there are any delays in accessing data, the NHS and other healthcare organisations are often likely to pay a ransom.
At the same time, the UK healthcare sector is greatly fragmented – the governance structure is a confusing mass of public and private organisations interacting with contractors and patients.
Combined with the rapid digitisation of patient records in recent years, it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe.
The latest figures from the Information Commissioner’s Office highlight the extent to which this statement is true. The NHS and other UK health providers reported 221 data security incidents during the final three months of 2016, and the industry accounted for close to 40% of all security incidents from all sectors, reported to the Information Commissioner’s Office (ICO) during that period.
As healthcare organisations in the UK scramble to better protect patient data, they will find relief in an unlikely place – the public cloud. Once feared as the slayers of security and compliance, major public cloud applications such as Office 365 have in fact managed to steer clear of massive breaches, cyber attacks and outages.
The reason for this is remarkably simple; major cloud providers spend more on security professionals and security infrastructure than most enterprise CISOs could ever hope to see in their annual budget.
For example, in late 2015, Microsoft CEO Satya Nadella committed to spending more than one billion dollars a year on security. When a cloud vendor’s entire business depends on its ability to safeguard customer data, a massive data breach could well be fatal.
The result is that the leading cloud based apps have very few application vulnerabilities and those that are found are patched at lightning speed. These vendors also invest heavily in protecting these applications as best they can from denial-of-service attacks and other attempts at service disruption and data exfiltration.
With such a strong track record for security, why do security and compliance continue to be cited as the top concerns of organisations making the transition to cloud? Aside from losing control of physical servers in a data centre, organisations are starting to realise that while the public cloud application itself is secure, the responsibility for keeping the data within the application secure lies squarely with the organisation.
Try as they might, cloud service providers cannot protect users from themselves. The biggest risk of data leakage, ironically, comes from the same features – such as ubiquitous access from any device and the ability to share data easily – that make the cloud such a productivity boon.
Cloud based productivity applications are a critical piece of the security puzzle because a great deal of sensitive health information inevitably finds its way into these systems.
Whether Google Drive, Dropbox, or Office 365, many healthcare organisations will start using cloud productivity apps in some capacity.
IT teams are responsible for enabling secure, compliant access to these apps and creating an environment where employees can collaborate more effectively without inadvertently leaking patient data.
In order to control how the cloud is used, many organisations have already deployed third-party tools such as identity-as-a-service (IaaS) products and cloud access security brokers (CASBs).
These technologies can help ensure the organisation does not take on unnecessary additional risk in its quest for increased productivity and better patient outcomes. These tools are used to control access from staff-owned mobile devices, to ensure that external sharing is managed appropriately, and to limit the possibility that user credentials could be compromised, amongst other things.
Inadequate security precautions and any breach of health information, no matter the size or cause, can result in substantial penalties. In the UK, any organisation that processes personal information must meet the eight requirements of the Data Protection Act.
The ICO has the power to fine organisations that miss the mark. For example, a fine of £200,000 was recently issued to HCA International, a private health firm, following an investigation into the way the hospital was transferring, transcribing and storing records of patient appointments.
In 2016, Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data on the internet, breaching its data protection responsibilities and landing the trust a similarly substantial fine.
By procuring cloud apps with a strong security track record, and combining them with third-party tools to secure data in the cloud, the NHS and other healthcare organisations in the UK will be able to improve their ability to protect medical records. This, in turn, will help them avoid fines and focus on their core competency – delivering care services.
Sourced by Eduard Meelhuysen, head of EMEA at Bitglass