Creating good cyber health for the NHS

  • It is imperative that healthcare managers implement robust information risk management practices to alleviate public fears over the security of personal health records, while avoiding hefty data loss penalties
  • The NHS is one of the UK’s most penalised public sector organisations when it comes to cyber compliance
  • A major overhaul of European Union data protection laws could be adopted in 2015, putting added pressure on public service organisations to ensure data security

When a health organisation suffers a data breach, it often involves the loss of sensitive information, sparking concerns from patients, employees and suppliers, as well as the resultant negative publicity.

With the collection of personal health data likely to increase in the coming decades – in a bid to improve the nation’s health – there is a growing need to create a culture within the NHS that safely encourages the use of technology.

Technological advancements enable greater working flexibility and increased methods of communication, but at the same time they can bring new risks – both positive and negative.

This doesn’t mean that all healthcare managers will, or should, become cyber security experts overnight, but by adopting straightforward and sensible practices, the risks around data loss can be mitigated.

Legal risks

The NHS is currently one of the UK’s most penalised public sector organisations when it comes to compliance. In November 2014 The Information Commissioner’s Office ordered NHS Grampian to take action to make sure patients’ information is better protected.

The warning came after six data breaches within a 13 month period, which included papers containing sensitive personal data being left in public areas of the hospital, and one case where information was found at a local supermarket. All of the papers were returned to staff, with the final incident occurring on 28 March 2014.

A major overhaul of European Union data protection laws is likely to be adopted in 2015, with strict consent requirements backed up by huge fines and stronger enforcement. With patient statistics being increasingly utilised by health bodies to improve healthcare processes, the importance of data management and cyber risk is being brought into sharp focus.

Cyber risks faced by the NHS

The huge amount of data held by the NHS – from basic patient details to more sensitive information, intellectual property, the data of partners and suppliers and also valuable assets the NHS holds, such as hardware and software – has enormous value to cyber criminals. It can also, from time to time, experience malicious attacks from rogue hackers looking to cause disruption or blackmail.

Although there is little chance of preventing all cyber losses, due to the ever-growing frequency and complexity of criminal efforts to steal data, it is important to implement controls, which can minimise the potential impact of a cyber-attack.

Mitigating against data loss

Basic safeguards against data loss can include regularly changing passwords, keeping devices safe and preventing staff from opening suspicious emails. Having the right people in place to develop this strategy and being responsible for implementing it is also important. Mitigation is a balance of pre and post-incident actions.

Care must also be taken by staff to avoid accidentally erasing, destroying or corrupting data or software and to ensure that information is sent securely and to the correct recipients. Emails sent to the wrong person are one of the most common data breaches.

Guidance should therefore be developed to enable an organisation-wide approach to the classification of information.

The threat from within should also be taken seriously, as there is increasing evidence that criminal gangs are targeting vulnerable staff within organisations to help steal valuable information.

To prevent this – as a minimum – all user accounts should have access only to certain privileges and be subject to provisioning and an approval process. All of which should be reviewed regularly. Administrative accounts should also only be used for legitimate administrative activities, and should not be granted access to email or the internet.

Admin passwords should also be configured to require a password change at least every 60 days. There should also be clearly developed policies for the use of social media.

Network security can be ramped up to prevent malware attacks – computers and network devices, including wireless access points, should be securely configured – while user privileges should also be managed and controls put in place when working from home or using a mobile device.

It is imperative that employees understand and follow even the most basic cyber guidelines for them to be effective.

The use of cyber risk management is crucial in rebounding quickly from a successful cyber-attack and should dovetail and be part of an organisation’s business continuity management approach. There should also be an understanding of what a breach means from not only a financial perspective, but also on an operational and reputational level.

Physical impact and costs of a cyber-attack

Performing regular checks to assess the vulnerability of IT systems, training, staff, processes and technology can also help. Hackers are always looking for the weakest link to gain access to the system.

Cyber-attacks can also cause physical disruption to a healthcare organisation. If, for instance, malware has brought down the IT network, it could mean staff being forced to rely on paper records. Again, robust business continuity management processes can help to identify where these threats are likely to arise and mitigate the risk.

Any attack, though, can bring with it a hefty fine, reputational damage and subsequent IT upgrade costs.

Given the environment – with vast amounts of confidential data, and IT systems critical to the running of many healthcare bodies – mitigating cyber risk is increasingly important. To keep the NHS in the best of cyber health, the right controls need to be in place and the cyber threat should not just be considered an IT issue, but one that concerns management, too.

If in doubt, Zurich Municipal is more than happy to provide its customers with detailed information and practical tools to refine their approach to data security.