UK healthcare: cyber attack focus

NHS
More than 113 million patient records were stolen from hospitals and healthcare facilities around the globe as a result of security failures and cyber-attacks in 2015.

IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) year were from the health sector.

These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.

Notable cyber-attacks and security breaches in the healthcare industry
October 2016 North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated whilst the threat was dealt with.

In 2015
56 Dean Street, an NHS HIV, clinic released email addresses of 781 patients while sending out its monthly newsletter.   730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.

NHS-approved online pharmacy company, Pharmacy2U, sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.

Why is the healthcare industry under attack?

Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.

Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber-criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”

Reviewing data security for the health and care industry has found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology – and that those people may be unaware of their responsibilities.

How to stop these attacks

Step 1: Cyber Essentials certification

Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber-attacks, improving cyber security and preserving the reputation of the healthcare industry.

Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously.  Amicus ITS works with CREST approved, cyber security organisations to ensure that your status has been independently verified by a third-party vulnerability scan.

Step 2: ISO 27001

ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.

Step 3: Protect your perimeter

With threats and threat actors continuously evolving there is a real need for intelligent perimeter protection as well as innovation with password and identity management. At Amicus ITS we are happy to provide advice to help ensure your data is as secure as possible.

Amicus ITS specialist information governance and security division, provides services to support NHS and public sector organisations. Our client base is substantial and includes corporations of all sizes. We believe our success in winning and retaining clients is due to Amicus ITS’ deep and ongoing understanding of N3 compliance requirements in the UK.

The true costs of cyber security breaches starts to emerge

Pharmacy2U

We have been covering cyber security breaches and their financial costs for several years. But beyond strict fines meted out to organisations whose customers’ details are forcibly taken – what about those who sell this information on willingly? There is the cost to company reputation, additional to any fines which also needs to be considered when calculating the real cost of any cyber security breach.

Pharmacy2U, the UK’s largest NHS-approved online pharmacy, was fined £130,000 this week for selling information collected about its own customers to 3rd party marketing companies.  The ruling was simple; the online drug seller had not obtained permission from customers that their data could be sold on in any form.  Pharmacy2U has apologised, calling the sales a “regrettable incident”,  However the impact to its reputation will be a lot larger than the penalty from the Information Commissioner’s Office (ICO).

This week also saw Sony agreeing to pay up to $8m in compensation to its employees over the loss of their personal data in the 2014 hacking scandal surrounding the release of the film The Interview.  The story which we covered back in December 2014, Sony Picture Entertainment found itself the victim of a large scale cyber-attack with unreleased films leaking, in addition to personal data of 47,000 people employed or associated with Sony.  The $8m settlement still needs approval but sees Sony paying to reimburse current and former employees for losses, preventative measures and legal fees relating to the incidents.

In a further twist, this week saw the disclosure of a Sydney-based professional service business which is seeking to remain anonymous after having been infected by ransomware.  The malicious software found its way onto their system after an infected zip file from a client was opened. The virus then worked its way through their organisation locking everyone’s documents and with users being directed to a website asking for a ransom to unlock the files.  The company decided that instead of paying the ransom, they would wipe the data and recover it from their backup server. The problem with this plan was that even though all their backups which were supplied by and assured by their outsourced IT supplier as being okay, when they attempted to recover from the backups it was discovered that these had in fact been failing for some time and more than seven months of company data was lost. The business has since undertaken the tedious and time consuming task of recreating this data from emails and attachment. This has cost the business A$10,000 in man hours alone for the rebuild, but the cost in terms of damage to reputation remains hard to quantify.  In reference to the original ransomware price (currently unknown), the MD stated, “I might just pay next time”.

With the increasing costs to business resulting from cyber-attacks and a growing appetite for protection, many companies will be investigating cyber insurance, but even this is an emerging market which has its limits and will not cover all ultimate costs. For example, it could be difficult to get a pay-out due to the often vague definition of business disruption  – and cyber insurance does not cover the all-important reputation costs.  Cyber insurance can give peace of mind on large pay out fees but it cannot protect reputation and is simply not a substitute to heightened network security, employee training and regularly tested backup strategy.