Nigel Thorpe, technical director at SecureAge looks at the increase in cyber attacks on healthcare and says it’s time to treat all data as sensitive
Attacks from cybercriminals have surged during the pandemic, with the UK National Cyber Security Centre (NCSC) reporting that it defended the UK health sector from an average of 60 attacks per month between September 2019 and August 2020. The NCSC prevented a total of 723 incidents during this period – a 10% increase on the previous year.
More recently, a study by Obrela Security found more than four-fifths (81%) of UK healthcare organisations suffered a ransomware attack in the last year. The survey of 100 cybersecurity managers in the health sector found that 38% of UK healthcare organisations have elected to pay a ransom demand to get their files back, while 44% that had refused to pay a demand admitted to losing healthcare data as a result.
Ireland’s healthcare system has also been targeted twice in recent months with the same cyber-crime group believed to be responsible for both incidents. The Department of Health said it shut down its IT systems after a ransomware attack in May, which caused ‘substantial’ cancellations to outpatient services. Irish Foreign Minister Simon Coveney said malware had been inserted across the HSE healthcare system network “in multiple locations”.
The wealth of sensitive data that healthcare providers hold makes them an attractive target for cybercriminals looking to make money from ransom payments or fraud. The wider consequences can include an adverse impact on patient care, safety and trust, as well as long-term financial and reputational damage to the healthcare industry.
Three healthcare security challenges
The stakes for data security in healthcare are extremely high and it is increasingly difficult to prevent and limit damages from data breaches. Heavy reliance on new technology intertwined into legacy healthcare systems, as well as the free flow of data, opens up countless opportunities for external or insider attacks. And here are three further nuances that make data security in healthcare particularly challenging.
- The nature of the data
It turns out that personal health information (PHI) is more valuable than personal identifiable information (PII) on the black market.
- The industry’s use of legacy systems
Many healthcare organisations function in an ecosystem where budgets are tight and getting investment for new technology is an uphill battle. While legacy systems may appear to do the job, they impose risks to network security, particularly when operating systems are no longer supported.
- A reliance on dispersed data
Providing medical services does not stop at medical diagnosis and drug prescriptions. Due to the dispersed and long-term nature of the healthcare industry, a huge amount of information in many different structured and unstructured forms, needs to be accessed and generated from the very first consultation till the end of treatment, which can span a lifetime. This information includes medical records, prognoses and prescriptions all of which include personally identifiable information such as names, addresses, identification numbers, financial information and insurance details. The problem is that current ‘castle and moat’ approaches to protecting this data by adding more defences to prevent unauthorised access aren’t working.
- Cybersecurity awareness
Without doubt, the human factor has always been the weakest link in cybersecurity. Many organisations have mandated cybersecurity training for their staff, teaching everyone that security isn’t just the responsibility of the IT department. While this is important, employee awareness and training can only go so far. Someone, somewhere is always going to click on a malicious link or open a rogue document.
It’s time for a new approach
First of all, we need to accept that all data is sensitive. We know that cybercriminals use pieces of seemingly random information to piece together phishing attacks and steal identities. So, rather than categorising data into different levels of sensitivity and treating them differently, we should treat all data as sensitive. After all, some 67% of respondents in a recent Ponemon report said that discovering where sensitive data resided in an organisation was challenging.
So, once we accept that all data is important, we then have to protect it all, by using encryption. In the event of an attack – from inside or outside of the organisation – encryption renders files useless. Many organisations use full disk encryption. But while this will protect structured and unstructured data when it is at rest on a hard disk or USB stick, it is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data, therefore, needs to be protected not only at rest but also in transit and in use, on site or in the cloud.
With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data. Security is most effective when it is applied as close to the source as possible.
File-level protection builds protection into the data itself without any user action or decision making and doesn’t disrupt user processes. This proactive way to protect data means that in the event of infiltration via the perimeter or insider attacks, data will not be intelligible to any hacker. Anything that cannot be understood by the recipient does not hold any value for them. Protection is also persistent throughout, whether the computer is on or off, whether the file is open or closed. Unlike alternative data security solutions, protection doesn’t just work some of the time.
Adopting this data-centric approach will make a big difference. After all, a 2021 HIPAA compliance checklist from the US, reveals that most data breaches result from the loss or theft of devices containing unencrypted data and the transmission of unsecured records across networks.