A Freedom of Information (FOI) disclosure has shown that the National Health Service (NHS) has an ‘alarming' lack of cyber-security around mobile devices in the workplace.
Accellion, a California-based cloud solutions company, released its findings yesterday saying that “NHS trusts across England do not have adequate training programmes that guard employees against cyber threats”.
Nearly three-quarters of NHS trusts said they had no cyber-security training programme for mobile devices despite the fact that a similar number are using those mobile devices in the workplace.
As the NHS makes its move towards a paperless system, tablets, smartphones and mobile devices will move closer into central everyday use. Ninety-two percent of NHS trusts, according to Accellion, plan to incorporate those devices by 2018, the target date for the NHS to go paperless.
This paperless system is supposed to allow the easy transfer of medical records and was supposed to save the NHS billions.
In January 2013, Jeremy Hunt, the Secretary of State for Health, said, “The NHS cannot be the last man standing as the rest of the economy embraces the technology revolution.”
He added, “It is crazy that paramedics cannot access a full medical history of someone they are picking up in an emergency – and that GPs and hospitals still struggle to share digital records.”
But Accellion's report notes, “The uptake in smart technology is in direct correlation with the increasing number of cyber-attacks in the healthcare sector, where patient data is seen to be of greater value to hackers than financial details when sold on the black market.”
The transfer to paperless is already in swing, according to Accellion's FOI. Around 80 percent of NHS trusts said they had given staff mobile devices from which many of them access patient records.
So where are these records secured elsewhere? Just over half of trusts say they provide secure applications for sharing patient data. The report adds, “With the increasing uptake in smart technology, this is a figure that must change in order to prevent further cyber-attacks.”
Yorgen Edholm, CEO of Accellion, told industry press that with human error being central to most data breaches, “the integration of smartphones into the UK health service must be properly managed”.
Edholm added, "From the latest hire to the most tech-savvy employee, cyber-security must be top of mind. With the increasing use of wearable devices, employees are going to be the weakest link in the security ecosystem."
In September, the NHS announced the introduction of a dedicated cyber-security team. CareCERT (Care Computing Emergency Response Team) is meant to respond to major cyber-security incidents and be a central source for security intelligence within the NHS.
Funded through the National Cyber Security Programme, the service is meant to go live in January 2016. At the time of announcement, Rob Shaw from the Health and Social Care Information Centre (HSCIC) said, "The service will monitor for system-wide threats and will then ensure that appropriate actions are developed, supporting continued security across the sector."
SCMagazineUK.com spoke to Susannah McIntyre, a spokesperson for the NHS, who said that all “organisations must develop their own ‘bring your own devices' policy for mobile devices following a thorough risk assessment”.
She added, “All users of the NHS must be confident that their data is safe and secure.” A review of data security for patients details will be carried out by the Care Quality Commission with the help of the National Data Guardian, Dame Fiona Caldicott who will develop “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account”.
From next year, “All NHS and care organisations will be inspected on how well they protect personal data, including issues such as sharing data on non NHS devices."
Problems like this one aren't just isolated to the NHS. SC spoke to David Emm, principle security researcher at Kaspersky Lab, the security giant of the east. “Wherever devices are used, whatever the technology they're based on, all mobile endpoints that can connect to your network need to be fully secured”, Emm told SC, “Unfortunately, organisations far too often ignore the human dimension of security. But often the starting-point for a targeted attack is to trick individuals into doing something that puts security at risk. It's vital that all employees are aware of the risks and that businesses don't solely rely on technology to protect themselves.”