11
January 2018

Cybersecurity in the NHS (PT 1) Protecting the NHS from the inside-out

Andy Harris

The NHS is the UK’s largest organisation and employer, with a total of 1.4m employees. It provides online services that the whole of the UK relies upon, and its databases hold enormous amounts of highly sensitive and potentially valuable information, making it an obvious and lucrative target for cybercriminals.

A colossal 40% of malware attacks in the UK are made against public sector institutions. Between 2014 and 2015, the 17 largest Government departments recorded a combined 8,995 data breaches. The National Audit Office (NAO) recent report Protecting information across government condemned the “limited oversight” of various Government IT departments and described the existing process for reporting breaches as “chaotic”. Recent devastating attacks have spiked particular concern in NHS cybersecurity, and the lack of investment in cyber defence across individual NHS trusts.

As cybersecurity raises higher on the agenda, 55% of healthcare management professionals have admitted they anticipate further attacks from ‘organised hacktivists’. Recent such attacks crippled the systems of around 50 Trusts, locking staff out of computers, shutting down IT systems and email accounts, forcing A&E & outpatient departments to close, and causing hundreds of procedures and appointments to be cancelled. Whilst some Trusts have learned how to better deal with the consequences of data breaches as a result, there is no room for complacency. Cyberattacks continue to get more sophisticated and potentially catastrophic every day.

Patients’ confidential details have been emailed to other patients, found on pavements, and even left in a restaurant, in hundreds of NHS data protection breaches.

Taking just the Norfolk and Suffolk region as an example, over 650 data protection incidents were reported in 2016, and at the Queen Elizabeth Hospital in King’s Lynn the number of data protection breaches almost doubled from 2014/15 to 212 in 2016. In the last two years alone, 39 NHS staff members have been disciplined for data protection offences, and 25 recent breaches were so serious they had to be investigated by the Information Commissioners Office.

The incidents are, in both scale and content, shocking. A former NHS employee recently pleaded guilty to accessing a former friend’s medical records and disclosing information about a baby, and was fined £125 for each offence and ordered to pay costs of £500 and a victim surcharge of £30 for breaching patient confidentiality and the Data Protection Act. One hospital sent equipment containing unencrypted patient data to an auctioneer, another let the therapy records of 41 patients get stolen from a car boot, and in August, one mistakenly sent the private details of 30 people, including diagnosis results, to a single person. In the last two years, staff members have even discovered customer data on the pavement at a petrol station and left in a restaurant.

Privileged accounts are being targeted

Last year, the Information Commissioners Office reported 31 healthcare breaches from records going missing and 10 breaches for unauthorised access or use of password via a privileged account, a favourite method of entry for cybercriminals. Teams and nurses on the front line are driven by a strict process to maintain frontline security, but cybercriminals are targeting these less obvious but more valuable Privileged User Accounts, where the biggest prizes can be found and attackers can gain the best access to systems. One particular hacker, with ties to Anonymous, used a private contractor’s unprotected privileged account to access an NHS database of confidential records of 1.2 million people, detailing names; addresses; telephone numbers; email addresses; Social Security numbers; medical record numbers; patient IDs; insurance numbers; and charges and payments from services performed. Incidents like these shine a harsh light on the vulnerabilities of NHS’ IT infrastructure. A lot of learning must be done, and changes must be made.

We need to start protecting NHS data where it’s held – at its core

Every successful cyberattack damages businesses, their customers and public trust in our collective ability to keep people and their private data safe. The head of the National Audit Office has warned the NHS and Department of Health to “get their act together”, but what is really needed is a positive, proactive reaction across all industries.

What is needed is a positive, proactive reaction across all industries.

Protecting data has always been integral, but the data environment is evolving. Businesses need to get a firm handle on any potentially unstructured and badly managed data, make sure that they comprehensively understand their data models, and are putting the necessary processes in place to keep IT infrastructure and Privileged Accounts secure. It’s the only way to live up to data policies and customer promises, and the only way to avoid disaster down the road.

Read our blog Cybersecurity in the NHS (part two) to find out how…