Healthcare in the UK, and the NHS in particular, has come under intense scrutiny since the disastrous effects of the WannaCry ransomware in May 2017. Since then NHS Digital has launched a new £20m security operations centre to help units understand and prepare for cyber attacks.
A realistic yet disturbing view came from Dan Taylor, a director of security at NHS Digital, presenting at the National Cyber Security Centre’s CYBERUK 2018 conference.
He pointed out that, relatively speaking, the ransomware attack affected the NHS in a small way. He wasn’t trying to decrease the impact of the malware but highlighted the fact that over 25,000 discrete centres weren’t affected – only 40 were. So it could have been far worse, and a subsequent outbreak could still be far worse. He also praised staff and IT partners for their efforts to deal with the crisis.
GDPR has changed the security landscape
But that isn’t the only threat facing UK healthcare sector. The advent of GDPR has raised the need for all organisations – NHS and others – to put robust systems and procedures in place to protect data. As well as making sure that people have correctly and overtly given permission for their information to be used in certain ways, the onus is on organisations to keep data secure and prevent theft.
Another explicit requirement of GDPR is that any personal data breaches should be disclosed to the relevant supervisory authority within 72 hours. Clearly knowing that a breach has taken place is therefore vital.
As soon as GDPR came into force, a case was lodged in France against Google, with the resulting fine, eight months later, coming to €50m. This was for obscure terms and conditions rather than a data breach, but the point is that no organisation can afford to ignore it. Although Google isn’t a healthcare firm, if someone’s prepared to use GDPR against a company that high profile, it won’t be long before it’ll catch up with those operating in other sectors – including healthcare.
Third party danger
While the NHS increasingly outsources services and administration, the risk of succumbing to cyber attacks increases. Every new interface between supplier and customer adds another vector that can be exploited, with lines of responsibility blurred in the minds of the public.
In the USA a breach at AccuDoc Solutions, a payment processing provider, affected two healthcare clients. Atrium Health, which operates nearly a thousand hospitals and other healthcare facilities, had 2.65 million clients affected, while BaylorScottWhite Medical Center had 40,000 affected.
Staying one step ahead
UK healthcare organisations are in a tough situation. Criminal elements can act fast, developing, morphing and combining threats to constantly stay ahead. Public and private bodies alike have to justify the time and budget to put protective measures in place, whether they are improved system care and maintenance or investment in cyber security products and services.
To focus minds on the threat, download this easy-to-digest infographic which details the key facts and figures, quantifying the threat facing the UK Healthcare sector.