Are you on top of your cyber risks?
19 September 2016
Consider these three facts. First, personal healthcare records are 10 times more valuable than financial data when sold on the ‘dark web’. Second, cyber security budgets remain severely constrained across health, especially within the NHS. And third, our Global State of Information Security Survey 2016 highlighted that some of the biggest healthcare breaches in history were reported over the past year.
If further confirmation were needed of the scale of the cyber security challenges facing healthcare providers, then these facts alone provide it. But they’re just part of the story.
Alongside the growing threats from adversaries ranging from organised criminals to state-sponsored attackers, healthcare providers, commissioners and connected sectors are also facing a ‘perfect storm’ of legislation and regulation. This includes new data security standards following the Care Quality Commission (CQC) Data Security Review 2016, the third Caldicott Report, and the introduction of the General Data Protection Regulation from May 2018, shifting the consent model from implied to explicit and imposing significant fines for breaches.
The message from all of this is clear: public health, private health and pharma & life science organisations underestimate cyber risks at their peril. And to avoid falling into this trap, the first step is to gain a firm grasp of what those risks are and where they arise.
This task is made all the harder by the rising value of personal health data to criminals for ID theft, and the way the ‘attack surface’ is shifting and expanding by the day. The causes include the move towards wearable wireless-connected devices like heart monitors, pacemakers and automatic infusion pumps to track and maintain patients’ health.
As such technologies becomes more widespread, cyber security is struggling to keeping pace – potentially putting not just patients’ data at risk, but their lives. Penetration tests have shown it’s possible to gain access to these embedded devices, and make life-threatening changes such as altering the pulse rate on a pacemaker, re-programming the doses delivered by an infusion pump or even switching a device off completely.
- The Information Commissioner’s Office reports 26% of publicly recorded data breach incidents within the health sector were due to human error.
- The NHS has a poor record on data security. Earlier this month two trusts were fined £365,000 for leaking information about thousands of NHS staff and hundreds of patients with HIV.
- 7255 NHS data breaches between 2011 and 2014
Current research shows that of all cyber incidents noted, it is found that data breaches are by far the most common, dwarfing rates of all other cyber events….. with credit card numbers and medical information being the most commonly compromised pieces of information.
Also, while a lot of this may sound like science fiction, it’s vital not to lose sight of the human dimension. Amid all the focus on putting firewalls and other security technologies around critical information systems to protect them, it’s easy to forget that the biggest vulnerability of all is the ‘trusted user’. So staff training and awareness-raising must go hand-in-hand with technical controls and defences.
Put simply, if your organisation isn’t keeping on top of cyber risks, it should be. And PwC is here to help. To find out more, please join us on 26th September on the first webcast in our ‘Tomorrow's healthcare today’ series, entitled ‘The future of cyber and data security in the health and pharmaceutical industry’. You’ll be glad you did.