Last year the U.K. Government set an ambitious target of making the National Health Service (NHS) paperless by 2020, a move that will see hundreds of thousands of patient records digitized. In 2017, hospitals will be obliged to allow patients to view their medical records online, following in the footsteps of the UK’s general practitioners. To get ahead of the curve, many NHS hospitals are already transferring patient data to online networks now. But a significant number are not taking adequate steps to protect this sensitive personal data from hackers, as a Sky News investigation revealed late last year.
Receiving access to documents under Freedom of Information laws, Sky News found that seven NHS trusts (groups of hospitals under central oversight), providing services to over two million patients, spent nothing on cybersecurity in 2015. That’s $0. Perhaps more worryingly, it revealed an increase in cyber breaches from eight in 2014 to 60 the following year (across the 97 trusts that provided data).
A breach can shut down hospital networks, forcing the cancellation of appointments and operations, as it did to three UK hospitals. And while inconvenient, more problematic is the potential of losing patients’ private and personal data. This information cannot be changed like a credit card number. And because the information contains more data a cybercriminal can make use of — such as national insurance number, medical history, insurance provider, prescriptions, and so on — healthcare data fetch higher prices, as much as 60 times that of stolen credit card data, ensuring it remains a hot target for the ill-intentioned.
For obvious reasons, a hospital administrator will tell you the number one focus for NHS is healthcare, not data security. As a result, the limited resources available are directed to saving lives, not to fortifying online systems. Yet, data security is now a key component to health care and saving lives, requiring leaders to tackle three challenges to better protect patient data.
1. Budget allocation. Just as businesses have redirected operational budgets to fund cyber defenses, hospitals must reapportion funds to do the same. The impact of a security breach on a hospital has similar financial repercussions to that of a major business, with services disrupted and customer confidence (in this case patients), severely damaged. For patients to feel confident their records are protected, they need to know that hospitals are spending enough on the tools and technology necessary to keep hackers out.
2. Staff training. As medical practitioners, hospital staff are some of the most highly trained and skilled operators of any profession. However, when it comes to cyber skills, there is a severe shortage. To address this, cyber skills should form part of the training and induction program provided to hospital staff. The aim shouldn’t be to turn all doctors and nurses into cyber hunters, but to raise basic awareness and instill best cybersecurity practices. By doing the basics, such as instituting strong password authentication and taking care when clicking email links, medical professionals can avoid the simple errors that open the door to hackers.
3. Connected hospitals. The biggest challenge lies in the nature of the modern hospital. Today’s hospitals are by no means analog. A growing number of connected instruments and life support systems means there are countless endpoints in any single hospital and exponentially more expected to come online over time. Without the proper network visibility and protection, each device, or endpoint, represents a potential vulnerability for intrusion.
A digital NHS should be seen as the future of healthcare. But as these recent reports have highlighted, there are a number of steps we need to take first if we are to make that future secure.
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.
About the author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations, and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.