Healthcare suffers more data breaches than any other sector in the UK, with half of all data breaches reported to the ICO originating from public and private health organisations.
Data published by the Information Commissioner's Office (ICO), responsible for data governance in the UK and to which all government departments report, reveals that 184 breaches were reported in the health sector in the final quarter of 2015.
The second most breached sector was local government, which reported 43 breaches in the same quarter.
The ICO is concerned at this development: "The health sector handles some of the most sensitive personal data. Data security incidents can lead to extensive detriment and high levels of distress for the data subjects affected."
Chris Gibson, director of CERT-UK, shed some light on this for SCMagazineUK.com: “The healthcare sector is hugely fragmented. It's a very confused and convoluted governance structure.” This area can be a confusing morass of various levels of authorities, public and private bodies and, of course, patients, making it hard to implement across-the-board policies and training schemes which might educate employees in protecting data.
“They are absolutely trying to fix that problem but it is a challenge,” added Gibson, saying that schemes like CareCERT, a Department of Health organisation which advises healthcare bodies on cyber-threats, is helping NHS organisations become more secure.
In recent years, medical data has become one of the more lucrative things on the cyber-underground. “For attackers motivated by profit, the incentive is very high”, Ted Harrington, executive partner at Independent Security Evaluators, told SC.
While credit card information will net a hacker little more than a pound, medical records can fetch as much as $US50 (£30). They also tend to contain a tranche of information, far more useful than what you would get from a credit card.
Medical records contain the personally identifiable information of not just the patient but also family members, as well as records of admission, prescriptions, medical histories and a whole host of other valuable data.
Even for those with less mercenary aims, hospitals make great targets, added Harrington: “For attackers motivated to cause chaos and create fear, there is perhaps no better platform to attain those goals than to make people afraid of going to the hospital.”
For those seeking to do actual physical harm, ”there is obvious and ample opportunity in healthcare to pursue that goal without the typical requirement of being present to do so,” Harrington said.
Harrington's company, Independent Security Evaluators, has previously investigated the state of information security in the American healthcare sector and found it wanting. Harrington told SC, “A confluence of factors expose the healthcare system to breach: insufficient funding, insufficient staffing, lack of effective training, lack of network awareness, lack of security assessment and the list goes on.”
On this side of the Atlantic, an FOI disclosure to Accellion, a private cloud solutions company, showed the level of cyber-security awareness within the NHS to be ‘alarming'.
It's not all bad news, though. Breaches hitting the health sector have come down 10 percent on the previous quarter, from 204. This, however, seems to be part of a wholesale reduction in the number of breaches as healthcare bodies still maintained their 41 percent proportion of data breaches in the same quarter.
Breaches against local government, however, increased by 34 percent – although, again, it was part of a long-term decline. Data breaches in the legal sector saw a similar increase of 32 percent. Education, general business, finance, insurance and credit all dropped from the previous quarter.
The report focused on incidents that contravened the seventh data protection principle which deals with information security.
The disclosed information also details the manner in which most breaches happen. A large proportion of incidents occurred as a result of either the loss and theft of paperwork or wrongly addressed data.However, most incidents were filed under the nebulously titled category of "other principle 7 failure".