Healthcare under attack: 2/3 of orgs hit last year, insiders an issue, training lacking

News by Rene Millman

67% of healthcare organisations suffered a cyber-security incident in the last 12 months, 39% down to staff, investment too low, too few training programmes to ensure staff use systems correctly.

More than two thirds (67 percent) of healthcare organisations suffered a cyber security incident in the last 12 months, according to new research.

A survey of senior business decision makers within healthcare organisations across the UK, also found that almost half of these incidents occurred as a result of viruses or malware introduced by third party devices.

The study was carried out by data security provider Clearswift to highlight the serious threat that data breaches and malicious attacks pose to the UK’s health-related data.

The survey also found that the industry is still suffering from insider threats, with 39 percent of incidents occurring as a result of employees sharing data with unauthorised recipients and 37 percent coming from employees not following cyber protocols. Despite this level of incidents, the data revealed that the industry is still not putting the right level of investment behind cyber-security measures with 74  percent of respondents believing there should be more allocated budget to cyber-defences.

The number of security incidents contrast with other findings from the survey which revealed less than a quarter (24 percent) of respondents had an adequate level of budget allocated to cyber-security. And seemingly, there is disparity between where budget is being spent and where it actually needs to be placed, with 46 percent of respondents revealing investment is put into database security, versus just 26 percent for endpoint security.

Alyn Hockey, VP of product management at Clearswift, said that the healthcare sector needs to securely share data across departments and organisations in order to facilitate excellent patient care. 

"With the proliferation of third-party devices in this process, it’s more important than ever that the industry bolsters its cyber-security efforts to reduce the risk of everything from unwanted data loss to malicious attacks and focusses on keeping patient data safe and secure," he added.

In a related development, according to a  Freedom of Information request conducted by StarLeaf, 80 percent of the NHS trusts across the UK are implementing new technology systems due to the transition from the N3 network to the Health and Social Care Network. However, the request revealed that the majority of the trusts claim to not have any training programmes in place to ensure that staff are using these systems correctly.

The research also found that where video conference systems are overly complex, it hampers communication amongst staff, with the risk of staff shunning approved applications and turning to shadow IT services, such as WhatsApp, to communicate and share information. This could have a serious impact on the security and privacy of patient data across the NHS.

Mark Loney, CTO at StarLeaf, said that evidence he has seen suggests that when faced with cumbersome video conferencing equipment and limited training, it’s easy for people to turn to familiar tools such as WhatsApp. "This puts trusts at the risk of security breaches," he warned.

The research comes after it was recently reported that billions of medical images were breached. These images such as X-rays, ultrasounds and CT scans contained the personal health information, patient names, date of birth, sensitive information about diagnoses and in some cases even social security numbers of American-based patients. 

These were easily accessible due to a decades-old file format and industry standard known as DICOM that can be viewed with a free-to-use app. These DICOM images are typically stored in a picture archiving and communications systems known as a PACS server allowing easy storage, sharing and in this case: breaches.

Felix Rosbach, product manager at comforte AG, told SC Media UK that the massive amount of data sets combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organisations in all verticals. 

"While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like the newly introduced CCPA, HIPAA and GDPR. There might be fines coming up for this, so pay attention," he said.

Rosbach added that the fundamental issue at hand is how these providers manage data, such as in this case where "portions of some patients’ information were contained in the images, the focus should be on ensuring that PHI and PII data are never in an e-mail in the first place.

"The best way to remedy the threat of unnecessary data breach is by prescribing the strong medicine of a data-centric security approach to protect and de-identify data while maintaining its analytic value – thereby ensuring that regardless of where the data is stored, sent, or shared and no matter who has access, it is protected," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews