lolloj - Fotolia
The NHS is about to undergo its most significant operational transformation: becoming digital. The long-awaited review by Robert Wachter, published in August 2016, goes a long way to describe how, with its set of recommendations.
Although security is not the subject of a specific recommendation, it is fundamental to the success of such transformation and building trust with patients and professionals. However, the Information Commissioner’s Office (ICO) 2016 report on data breaches across sectors identified the health sector as twice as bad as the next sector for reported data breaches.
Although there are factors that may have amplified this number unfairly, the health sector cannot afford not to be at the top of its game when it comes to data and cyber security.
Cyber security can appear complex and needs expert skills to understand and manage it. True, there is no one-stop solution that achieves a secure, robust digital environment that both upholds privacy and allows sharing of data across an integrated world of healthcare and social care.
However, it is so fundamental to digital environments that it cannot be overlooked by any organisation, particularly not one that deals with the sensitive medical data of the entire population.
A survey, published earlier this year, found that NHS IT managers think security measures in the NHS are stronger than they actually are. NHS Digital has launched a programme that aims to enhance cyber resilience across health and social care by providing incident broadcasts, training and resources to health and care providers, but before you get that far, there are some basic steps any organisation can take to prevent the type of security breach that often hits the headlines, and for which the ICO has fined healthcare organisations in recent years.
Train your staff
Humans are the weakest link. Most people will not deliberately create insecurities, but if they don’t even know what the risks are and what to watch out for, there is no chance they can help defend against them. Phishing attacks are on the rise specifically because people can be targeted more successfully than breaking technical barriers.
Some 62% of breaches reported to the ICO originate from human error or human weakness, such as clicking on links in phishing attacks, so it is vital to tackle this.
Update your software
Software needs constant maintenance to correct issues and address new vulnerabilities. Most software manufacturers make updates and patches for off-the-shelf software available for free, and implementation is usually designed to be “do-it-yourself”. Updates can be more complicated in large, bespoke systems and this should be taken into account when procuring new software and building systems.
Do not use default passwords
These can be guessed and offer no protection. If the functionality is provided within a system, use it. Although obvious, do not write the password on a piece of paper next to an entry system. Clearly, having to remember a host of different passwords for different systems is annoying, but single-sign-on solutions and proper architecture can help to minimise this.
Encryption is a hugely effective tool for securing information. It can be controlled centrally, so organisations are not reliant on front-line staff being vigilant and trained. It mitigates the effect of stolen or lost laptops being used to hack into systems. Different levels of encryption are available depending on the sensitivity of the data.
It is too easy to mis-type a fax number or let automatic email address recognition tools fill in a different email address to the one you intended to send to. Train and remind staff of the importance of paying close attention here, particularly when sending emails to lots of parties or when sending large files.
These five steps are essential, but it is also important to remember that maintaining security must be made easy. If processes are too cumbersome or time-consuming, people will see them as a barrier to doing their job and will work around it, usually in a very insecure manner. Security is also an ongoing operation, not a one-time fix.
New threats develop, new technology emerges and people churn. Organisations must constantly reassess and update practices to address new issues and to ensure that current practices are maintained among staff.
Prevention is better than cure. If there is a breach, you need to react. But it is not good enough to bury your head in the sand and hope it won’t happen. Breaches break trust, and that is not something the health sector can afford to lose.
Jocelyn Paulley is an IT lawyer and director at law firm Gowling WLG, where she specialises in digital health, datacentres, big data and data protection.