Are you on top of your cyber risks?

19 September 2016

Consider these three facts. First, personal healthcare records are 10 times more valuable than financial data when sold on the ‘dark web’. Second, cyber security budgets remain severely constrained across health, especially within the NHS. And third, our Global State of Information Security Survey 2016 highlighted that some of the biggest healthcare breaches in history were reported over the past year.

If further confirmation were needed of the scale of the cyber security challenges facing healthcare providers, then these facts alone provide it. But they’re just part of the story.

Alongside the growing threats from adversaries ranging from organised criminals to state-sponsored attackers, healthcare providers, commissioners and connected sectors are also facing a ‘perfect storm’ of legislation and regulation. This includes new data security standards following the Care Quality Commission (CQC) Data Security Review 2016, the third Caldicott Report, and the introduction of the General Data Protection Regulation from May 2018, shifting the consent model from implied to explicit and imposing significant fines for breaches. 

The message from all of this is clear: public health, private health and pharma & life science organisations underestimate cyber risks at their peril. And to avoid falling into this trap, the first step is to gain a firm grasp of what those risks are and where they arise.

This task is made all the harder by the rising value of personal health data to criminals for ID theft, and the way the ‘attack surface’ is shifting and expanding by the day. The causes include the move towards wearable wireless-connected devices like heart monitors, pacemakers and automatic infusion pumps to track and maintain patients’ health.

As such technologies becomes more widespread, cyber security is struggling to keeping pace – potentially putting not just patients’ data at risk, but their lives. Penetration tests have shown it’s possible to gain access to these embedded devices, and make life-threatening changes such as altering the pulse rate on a pacemaker, re-programming the doses delivered by an infusion pump  or even switching a device off completely.

Current research shows that of all cyber incidents noted, it is found that data breaches are by far the most common, dwarfing rates of all other cyber events….. with credit card numbers and medical information being the most commonly compromised pieces of information.

Also, while a lot of this may sound like science fiction, it’s vital not to lose sight of the human dimension. Amid all the focus on putting firewalls and other security technologies around critical information systems to protect them, it’s easy to forget that the biggest vulnerability of all is the ‘trusted user’. So staff training and awareness-raising must go hand-in-hand with technical controls and defences.

Put simply, if your organisation isn’t keeping on top of cyber risks, it should be. And PwC is here to help. To find out more, please join us on 26th September on the first webcast in our ‘Tomorrow's healthcare today’ series, entitled ‘The future of cyber and data security in the health and pharmaceutical industry’. You’ll be glad you did.

 

   Cyber health matters

 

Andi Scott | NHS and Healthcare Cyber Assurance | +44 (0)20 7213 3757|andi.scott@uk.pwc.com

 

View Andi's profile on LinkedIn

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.