Jamie Stone, VP EMEA, Anomali
Jamie Stone, VP EMEA, Anomali

(NB - Written prior to the WannaCry attack, hence emphasis on data)

An individual's credit card information may be worth a few pounds on the black market, but healthcare data can fetch between 50 to 100 times that. And while credit cards can be cancelled, healthcare information – which contains sensitive information such as addresses, medical history, emergency contact, and more – cannot. 

Criminals could potentially use this data to sign up for new credit cards or commit insurance fraud. 

In March 2017, it emerged that access could be gained to the private records of 26 million NHS patients.[1] This shows the vulnerability of patient data at a network level. 

At a device level the threat is also apparent. For example, in 2010, Brighton and Sussex University Hospitals NHS Trust was fined £325,000[2] by the Information Commissioner's Office (ICO). This was because more than 200 de-commissioned drives belonging to the Trust that should have been wiped and destroyed in fact ended up on eBay. 

Patient data is at risk when staff do not follow protocol and many NHS data breaches could have been prevented. 

The UK Government has made moves to ensure higher security[3] for NHS departments and suppliers in the form of NHS Digital's Information Governance (IG) guidelines.[4] 

George Freeman MP writes; “As the health and social care system becomes increasingly paperless and digital it also becomes ever more important that there are adequate and robust protections in place to protect the data and information held within it.”

While we welcome this increased emphasis on data protection, we also believe that the UK Government should go one step further. Patient data would be even more secure with increased stakeholder collaboration. 

One way that other industries such as banking are getting ahead of attackers is by sharing information. Not only do they invest in mitigating equipment but they also share indicators of compromise (IOCs) and malicious activity with industry peers in a trusted network. 

Attackers share information among themselves and it is time that health organisations did the same to strengthen defences. An industry-wide, multiple stakeholder group that shares information, provides training and best practice would be a critical tool in the fight against cyber-crime in the UK health sector. 

In the US there is already a culture of health bodies, service suppliers and manufacturers working together to protect data. 

For example, the Health Information Trust Alliance (HITRUST), launched in 2007, is a collaboration of healthcare, business, technology, information privacy, risk and security leaders. HITRUST runs several programmes to drive widespread confidence in the industry's safeguarding of health information. This includes the Cyber Threat XChange (CTX). 

Numerous healthcare and industry related bodies are involved and they share IOCs within the CTX. This service streamlines cyber-threat information sharing and accelerates significantly the detection of – and response to – cyber-threats targeted at the healthcare industry. 

Because the HITRUST CTX platform operates in real-time, the intelligence is delivered in a timely manner and is immediately consumable by all organisations. This allows for a proactive approach to detecting any instances of a local threat. 

There are more than 500 participating organisations, making it the most widely subscribed threat exchange in US healthcare industry, and has already been critical in the sharing of data in at least two major breaches. 

The US health sector is supported throughout the supply chain by this multi-vendor framework. It provides risk management tools, education and leadership, which reduces the chances of American patient data ending up in the wrong hands. 

This system would work in the UK. Indeed, it is needed. NHS Digital's moves to drive ever-higher standards of security[5] across the board should be credited but, as the US model proves, a collaborative platform across industry is required to share information, drive awareness and best practice, and ensure compliance. 

Criminals are getting ever smarter in their pursuit of patient data. Public sector fraud is estimated to cost the UK public sector £37.5 billion per year.[6] We as an industry need to be even more organised in the way we protect patient data, and it starts with deeper security information sharing between the NHS and its many technology suppliers. 

Contributed by Jamie Stone, VP EMEA, Anomali 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.