SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
Time for a health check of your patient data security? 
Wed, 1st Mar 2023
FYI, this story is more than a year old

Pressures on the health service, from an ageing population to the COVID backlog, new treatments and staff shortages, mean that innovation and digital transformation have a major role to play. The use of AI in speeding up the work of radiologists in reading MRI scans is a prime example. Digitalisation is also a vital part of the clinical trials process for new drugs and medical devices. However, innovation is not without its risks. One of the major challenges facing healthcare organisations embarking on digital transformation is the risk that patient data will be compromised, leaked or stolen.

So why has the risk to patient data security risen up the agenda over recent years? First, the implementation of technology has created a broader attack surface for malicious actors. GP practices are connected to the NHS, pharmacies and hospitals. The increased use of apps in delivering personalised healthcare and telehealth means that we are reliant on a whole army of developers to make sure these apps are secure as well as delivering health outcomes.

Big data is increasingly being used in the field of public health to track health conditions like type 2 diabetes, which is invaluable in driving improvements in therapies and disease prevention. In the case of the COVID pandemic, big data played an essential role in tracking the disease, as well as in clinical trials of the vaccines. But the area of big data poses some major questions for the use of patient data, as illustrated by the class action against Google subsidiary DeepMind for the alleged misuse of the confidential records of 1.6 million UK patients.

Although the NHS is a national treasure with free treatment at the point of use, it is made possible by a combination of state-owned and private sector organisations. This covers everything from NHS Trusts, GP practices, pharmacies, medical device and pharmaceutical companies, not to mention a raft of private sector IT providers. With so many organisations involved, the security risk rises exponentially, regardless of whether they are public or private sector. Online pharmacies have been caught selling private patient data illegally. Hospitals have fallen victim to ransomware attacks. As recently as August last year, an attack on a third-party NHS software provider led to clinicians losing access to patient records and having to make decisions without access to vital patient data.

So, what is the potential impact of poor patient data security? As we have seen, clinicians not having access to patient records means there is a potential risk of doctors and nurses working ‘blind.’ That could mean patients being given the wrong treatment and no account being taken of vital information like allergies or underlying health conditions. This, in turn, could have a financial impact on the health provider in terms of malpractice suits and compensation for medical negligence.

Other financial impacts could be in the shape of fines from the regulators for poor management of personal health data, such as in the case of Delus Biologie in France, where regulators imposed a fine of €1.5 million for failure to comply with patient data security obligations where information was leaked including social security numbers and recent medical diagnoses like HIV. This brings us to the topic of ransomware, where hackers can cost health providers millions in remediation costs, irrespective of any ransom payments made to cyber criminals or the reputational damage done to the healthcare provider.

In the specific case of clinical trials for new therapies or devices, the loss or compromise of patient data could render the trials invalid while at the same time running the risk of loss of intellectual property. When you consider the cost of a typical pharmaceutical trial is in the region of $50 to $100 million, this is a serious risk, quite apart from the fact that any tampering with data from clinical trials could result in IoT-connected devices administering the incorrect dosage to a patient.

So, what steps should we be taking to minimise the risk of a breach of patient data security? There are a number of “safeguards” required to protect unauthorised access to personal health data. Priority number one is end-to-end encryption of data. Encryption is the ultimate fail-safe measure so that if the worst happens, unauthorised persons will not be able to make sense of the information they have access to. With increased IoT adoption, this is becoming more of a concern for healthcare providers. Data should be encrypted at-rest (in all places, including network and cloud back-up) and in-transit, with decryption tools stored on a device or at a separate location.

The next priority is access control. The mantra here is that only people who need to know the information should have access to that information. And even then, they only need access to the specific subset of information they need to perform their duties. Hospital administrators don’t need to know about specific diagnoses or treatments, but they may need to know a patient’s national insurance number. And access control needs to be backed up by robust policies about who can access what data, with strict controls to prevent people from sharing login details. ‘Email and password’ is no longer enough, and there needs to be more reliance on two-factor/multi-factor authentication (2FA/MFA), ideally using a physical security key device.

Another key safety measure is network segmentation; it is vital to keep critical patient monitoring and diagnostic devices in a separate part of the IT network using network virtualisation. Monitors capture real-time patient health diagnostics from wired or wireless sensors and will send out an alarm when there is cause for concern, like low blood pressure. If anything interferes with the signal or the functioning of the monitoring device, this could pose an immediate danger to the patient. In the event of hackers breaking into the core IT network, it must not be possible for them to move laterally across the facility and access either patient records or critical medical devices.

Even with these measures in place, there is no room for complacency. Health networks are built over a number of technology generations, and there needs to be intrusion and malware protection at every possible entry point. And, because the mix of technologies is so challenging, regular penetration testing (or pen testing) is essential to make sure no gaps have been left by applications and firewalls that have not been given the latest software updates.

And finally, patient data security is ultimately dependent on best practices by staff. Security training must be delivered at all levels to make sure that employees understand their contribution to keeping data secure and systems free from unwanted interference. From simple things like not sharing login codes and leaving computers logged in after they have finished their session to the more sophisticated dangers of email phishing and social engineering that criminals use to access patient data. Ultimately patient data is always going to be vulnerable to misuse and criminality, but there is much that all stakeholders can do to mitigate the risks while securing the benefits of advances in technology. The sad reality is that we are only just waking up to the threats.