Five cyber security issues facing the healthcare industry
Healthcare organisations hold some of the most sensitive personal data, including vast amounts of Personally Identifiable Information (PII), which means that hackers can paint a vivid profile of their targets.
Names, addresses, health insurance details, and often financial information, can enable attackers to commit identity fraud and other financial cyber-crimes. The highly valuable nature of this data makes healthcare a prime target for hackers.
To combat the rising cyber threat, the NHS is expected to spend £1bn on cyber-security and data consent. However, the recent deal between Google’s DeepMind and the NHS has called data privacy and security into question. Whilst doctors may benefit from the introduction of modern-day technology, patient data, which in some cases are not anonymised, could be at risk.
Healthcare suffered more breaches than any other sector in the UK in the final quarter of 2015, with half of all data breaches reported to the Information Commissioner’s Office (ICO) coming from private or public health organisations, so concerns are valid. Healthcare organisations need to ensure watertight policies and procedures are implemented, although there is no solution available that can guarantee security. As cyber-attacks become more complex, healthcare IT professionals need to stay on top of their security strategies in order to deal with threats. Here are five issues facing the industry today:
1 – The Black Market
Healthcare data is highly valuable to hackers because they can sell it for a high price on the black market. Patient information is in especially high demand right now as it can be sold for upwards of $50 (£38) per record. When compared to stolen credit card numbers, which only sell for about $1 (£0.75) each, the urgency to protect this data is obvious. Hackers stand to make a lot of money off of major breaches that expose millions of people’s data and the headlines indicate that the industry is currently fighting a losing battle.
2 – Scams Aplenty
Health data isn’t just for selling. Cyber-criminals can also use patient information for fraudulent activities such as billing private insurers. Unfortunately, it gets worse. The consequences of a data breach are disproportionately high for the healthcare industry. According to the Ponemon Institute, the average cost of a data breach per person is $201 (£150). However, within the healthcare industry, the per person cost is $359 (£270).
The Data Protection Act (DPA) is supposed to safeguard patient data and organisations within the NHS. According to the recent Shadow Data Report from Blue Coat, patient information (PI) dominates the healthcare and pharmaceutical industries at 52 percent of all sensitive documents. Unencrypted cloud data that is exposed to a breach can be extremely expensive and put the organisation at risk of reputational damage.
3 – Send It to The Cloud or Keep It On Premises
Compliance is a major concern for any healthcare organisation. This makes many providers hesitant to update or switch to new security systems. This is a major issue for the healthcare industry. Threats are becoming more advanced every day and healthcare security systems need to evolve.
For example, cloud data protection (CDP) gateways provide flexible control that protects sensitive information before it leaves a corporate network. The gateway intercepts PI while it’s still on premises and replaces it with a tokenized or encrypted value, which is then sent to the cloud. This way, the data is meaningless to anyone outside the network who may intercept it on its way to the cloud or access it while it is in the cloud. These platforms also ensure end-users keep their required cloud SaaS application functionality, even on data that has been strongly encrypted or tokenized. There are also technologies that can be used to continually monitor and scan files for PI and take actions such as blocking them from being sent to cloud environments or simply alerting IT that the information has been sent to the cloud.
4 – Encryption Is Your Friend
Encryption encodes data so that only authorised parties can decrypt the information and read it. So it doesn’t necessarily prevent someone from intercepting the data, but the encryption prevents someone from viewing it. It’s essential that encryption keys be physically held and managed by the end-user organisation’s IT team and not by the cloud provider’s. Losing ownership of encryption keys opens the organisation up to additional risks such as data leakage.
5 – The Fear Factor
As mentioned, healthcare leaders are sceptical about trying new security and storage options. Many IT leaders fear losing control of such regulated and sensitive data. This is understandable, but solutions such as CDPs and encryption address these concerns. New data control and protection solutions are emerging to help healthcare organisations address these threats. It’s time to embrace these solutions and put them to work to combat the new and very real threats facing the industry.
By Robert Arandjelovic, Director of Security Strategy, Blue Coat (now part of Symantec)
Read the September 2016 issue of Business Review Europe magazine.