Cybersecurity threats in health care and the implementation of data protection requirements in the health sector

Internal cybersecurity threats prevalent in the healthcare industry   

A large number of security breaches in the health care industry stem from preventable human error. In a study conducted by Ponemon Institute, it was found that to a great extent, medical identity theft can be prevented by providing adequate cyber security awareness training to staff. The report also found that increased staff training in conjunction with increased employment of skilled IT security staff could vastly improve cybersecurity defence.   

Outlined in the 2019 Data Breach Investigation Report (DBIR), in comparison to other industries, security breaches take the following forms more frequently: 

• Privilege misuse. 
• Lost or stolen assets.  
• Web application attacks.  

The report also outlines that internal incidents whether they are carried out maliciously or inadvertently are more common than external attacks.  

Consequences of human error: 

A report conducted by Egress in 2019 revealed that 79% of IT leaders stated that employers unknowingly placed sensitive data at risk of exposure.  

Examples of the human errors listed include the following:  

• Not properly securing devices that contain sensitive data and patient record for example, forgetting where a USB stick was placed. 
• Not practicing good cyber security practices for example, using weak passwords.  
• Inappropriate disclosure of sensitive information, for example sharing private sensitive patient treatments with a friend or family.  
• Sending health care information to the wrong person for example, CC’ing an irrelevant person. 
• Breaching a patient’s right to confidentiality out of curiosity for example, viewing a patients record without the need to do so and then sharing this information among colleges. 
• Keeping a copy of sensitive data after resigning from a job for example, selling this confidential data. 
• Misusing authority for example, providing someone with access to sensitive data to increase the speed of which a task is carried out. 

Ransomware is a highly common threat prevalent in the health care industry due to high amounts of profits that come with selling private data. Typically, the best course of action is to not pay any ransom when affected however as the health industry relies 24/7 on access to medical records to provide care, ransom is more likely to be paid by healthcare institutes. As a result of this the healthcare industry is a prime target for ransomware attacks.  

In many cases, ransomware occurs as a result from inadvertent disclosure of personal information or stolen assets. Systems become compromised as a result of phishing tactics or malvertising successfully deceiving the target due to the target’s lack of cybersecurity awareness.  

Other commonly used methods to exploit the cybersecurity of healthcare organisations include the following: 

• Exploiting unpatched vulnerabilities and compromises found in a third-party vendor software. 
• Social engineering tactics for example, phishing and spear phishing. 

System compromise can be prevented by ensuring that all employees are provided with cybersecurity awareness training to avoid making simple human errors that could lead to a system compromise and be able to recognise social engineering scams.  

If a given health care provider ensures that they are in compliance with the outlined data security and protection requirements, risks of system breaches will greatly decrease.  

Health care providers must legally abide by these data security practices… 

Last updated in 2018 and accessible from GOV.UK, the following is an outline of steps health care providers are required to implement to maintain effective data security practices. Requirements in further detail can be found here.  

Obligation One: People  

1. Senior Level Responsibility: Each provider must have a senior employee responsible for overseeing data security and cyber security in the health care provider.   
2. Each practice is required to complete the current GP IG Toolkit (Information Governance ToolKit v14.1) and it is advised that practices achieve level two as a minimum. 
3. Provide staff training: Each GP is required to provide their all their staff complete and relevant security and protection training annually.   

Obligation Two: Processes  

4. CCGs (Clinical Commissioning Groups) will assure that the locally delegated GP IT delivery partner (s) will be accountable for meeting the following requirements with CCG holding responsibility implemented through exception reporting. Organisations are required to: 

• Have a designated primary contact for the organisation through which they receive and organise responses to CareCERT advisories and share the information through CareCERT Collect.  
• It is important to note that action may involve advisory not being relevant to an organisation’s system and needing to confirm this.  

5. Each provider is required to maintain a business continuity plan which encompasses the response to data and cyber security compromises. CCGs are obligatory to ensure that assigned commissioned GP IT delivery partner (s) retain business continuity and disaster recovery plans for services provided to GPs. This includes responses to data breaches and cyber security occurrences.  
6. Each health care provider is required to ensure that data security compromises and near misses are disclosed to CareCERT according to the national reporting guidance and legal requirements (NHS GP IG Toolkit 14.1-320) 

Obligation 3: Technology  

7. CCGs are required to classify unsupported systems including software, hardware and applications and have in place a plan to remove, replace or mitigate the risks associated with unsupported systems. 
8. General practices are required to carry out on-site cyber and data security assessments when contacted by the NHS to do so. Recommendations that stem from the assessments must also be acted upon and shared with the commissioner. 
9. Suppliers of IT services, infrastructure or systems associated with the GP must be equipped with the appropriate certification.   

Consequences for General Practitioners failing to properly implement cyber security  

Consequences that will follow in the case of improper implementation of cyber security will be potentially dangerous. The GP could face a data breach which would result in the sensitive data of countless patients and the staff being stolen and sold among criminals. The threat of ransom demand will substantially increase, causing further time and money loss for the GP.    

Without appropriate cyber security measures in place as well as effective backup plans to mitigate consequences, the health care provider could be closed down. If the staff responsible for IT management of the GP fail to enact effective cyber security practices, they could face various legal consequences depending on the severity.