weerapat1003 - Fotolia
Healthcare organisations are 340% more likely to be hit by an IT security incident than the average across all sectors, and 200% more likely to experience data theft, according to research.
Medical information sells for 10 times more than other data on the black market, making it a key target for cyber criminals, according to the study from supplier Raytheon|Websense. The figures come from analysing telemetry feeds from healthcare organisations all over the world, as part of the five billion daily security events identified by the firm’s threat intelligence network.
Hackers are much more likely to use certain forms of malware to target healthcare organisations: They are 450% more likely than average to be hit by the Cryptowall ransomware, a Trojan that encrypts files on a user’s device and asks for payment to release the data.
The Dyre “man in the middle” malware turns up 300% more often in healthcare – a phishing attack that directs users to fake banking websites to steal their login details. And Dropper, which leaves malware to open up backdoors onto systems, appears 376% more in healthcare – in the first half of this year, 83% of all Dropper incidents worldwide took place in the sector, according to the Websense survey.
The research does not break down its findings by country, but in the UK the NHS has been heavily criticised for its lacklustre approach to cyber security. In February 2015, the Information Commissioner’s Office (ICO) obtained powers to forcibly audit NHS organisations after a series of data protection issues in NHS trusts.
The ICO has issued NHS organisations fines totalling £1.3m for offences such as data protection breaches, improperly disposing of confidential information and sharing private data with other organisations without proper consent.
“The NHS holds some of the most sensitive personal information available but, instead of leading the way in how it looks after that information, the NHS is one of the worst performers. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough,” said Christopher Graham, the information commissioner at the time.
Last year, civil liberties pressure group Big Brother Watch called for better healthcare data security after a study revealed the NHS had suffered an average of six data breaches a day for the previous three years.
Health organisations' security in race to catch up with technology
But NHS trusts are responding to the threats they face. University College London Hospitals (UCLH) NHS Foundation Trust, for example, is using real-time IT analytics to deliver quick responses to security and other incidents. And Yeovil District Hospital NHS Foundation Trust said it has increased spending on cyber security fivefold since 2012.
Most things that need to be done to ensure data security are relatively simple, said Derrick Bates, information security officer, North Cumbria University Hospitals NHS Trust, speaking at an event in London in 2014.
“The best way to make sense of all the security guidance from various information security bodies is to ask six key questions: Who, what, where, when, how and why,” he said. “Answering these six questions will provide 95% of what is required to make a business case for securing your network and provide greater clarity of thought on the topic.”
The accidental disclosure of the names and addresses of 780 people by an HIV clinic in London in September 2015 suggests data breach lessons of the past have yet to be learned.
The rapid growth of digital healthcare technology is leading to a substantial increase in targeted attacks, said Carl Leonard, Raytheon|Websense principal security analyst.
“While the finance and retail sectors have long honed their cyber defences, our research illustrates that healthcare organisations must quickly advance their security posture to meet the challenges inherent in the digital economy – before it becomes the primary source of stolen personal information.”
Read more about IT security in healthcare
As NHS England restarts its Care.data programme, Computer Weekly looks at how it is intended to work, the legislative background and the data security concerns.
The NHS does not always provide a trusted repository for patient data, but some NHS trusts are examples of good practice in action.
The latest NHS data breach comes after the ICO's repeated warnings about the risk of disclosing personal data through poor email practices.