“No patient information has been affected, 654 of our staff, current and past, have been affected by this security breach. We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised.”
The latest cyber breach to hit the already beleaguered NHS last week, was in Wales. Data of NHS employees was stolen from the business that maintains wearable radiation meters for the Betsi Cadwaladr University Health Board. Details of those working for private dentists, vets and NHS staff in England and Scotland were also breached.
Being a major talking point because of its chronic short-staffing and money woes, the NHS is in the news for losing data with great regularity. But is the situation really that dire? Should NHS Digital spend the £4.2 bn it has (for ramping up tech until 2020) on shoring up its cyber security defences now?
The cyber security threat to the NHS is manifold. To start off with, the system is not national. Each NHS Trust is run as a separate entity with their own budget and full remit to employ whatever information systems it wants to. There is no cohesion with other NHS trusts.
As a result of this, big 4- core legacy systems have had newer layers bolted on with a range of interfaces- software being just one of them. And then they have been hooked up to other networks that other NHS trusts run- similar systems but mostly not the same. So, while most of it trundles along most of the time, adding machines to its core both simplifies and complicates the matters.
‘It is like herding cats. Each of the hospitals can configure what the heck they like and thats what they have done!’ says Michael Boyd, MD Mountfield Consulting Ltd.
Another way of looking at how the NHS works is by comparing it to a McDonald’s outlet. The level of service is standardised across the estate but it is different franchises that run each of the outlets. And because of this, their targets are completely separate from each other and how they decide to achieve them are down to the local trust and board.
Owing to this disparate set of rules, functions and scattered power structure- not to mention pressure to use fewer resources to provide care to more, cybersecurity has been an afterthought until recently.
‘The NHS is part of the critical national infrastructure and so there are heavy regulatory and legislative burdens on them to keep information safe. They are a ripe target because they carry a lot of patient information so the Care Quality Commission put out a report last year to say NHS trust should look at cyber security with the same rigour as financial governance,’ said Andi Scott, NHS and Healthcare Cyber Assurance analyst, PwC.
The CareCERT agenda had three go-to points that could help the NHS become stronger cybersecurity-wise. There are:
- a national cyber security incident management function
- issuing national level threat advisories, for immediate broadcast to organisations across the health and care sector
- publishing good practice guidance on cyber security for the health and care system
‘Data is being weaponised, we see hospital networks being hacked into and threats are coming in from all directions.’ Raj Samani, Chief scientist McAfee.
‘Cyber should be more of a leadership and assurance based activity than compliance. With compliance, the questionnaire has just one question about cyber security. Usually, it is: ‘Do you have a cybersecurity policy?’ If the answer is yes- they are compliant.
The cyber security conundrum and agency staff
The NHS traditionally has very good track record on confidentiality. However, can the right person get the right data at the right time? Of the healthcare analysts we spoke to, many talked about how commonplace it was, for passwords to be taped under the mouse connected to a computer. Or even to be on a post-it note on the computer screen.
‘Hospital staff don’t set out to make their system as leaky as possible- the taped passwords are so there is least interruption to patient care and agency staff can get access to records and schedules quickly. If someone really wanted to set out to steal information, they could certainly put away a lot in an 8-hour shift,’ continues Boyd.
It is obviously very difficult to make any situation 100 percent secure. Agency staff and locums are vetted to the highest level and those on rosters are usually familiar with the particular NHS Trust. The email that NHS staff use is highly secure and all phishing style emails are deleted by the powerful firewall. But healthcare professionals aren’t really the best with computer systems. Like the recent case where a test email sent by an IT worker to 840,000 staff and then them hitting ‘reply all’ caused the system to crash…
‘Locums and temporary staff will tend to have stipulations in their contract that ensure any data they use is strictly confined to the practice in which they are operating. With temporary members of staff, they are clearly more exposed to more organisations than a permanent worker – so it is imperative that data being taken offline is discouraged and only used within the four walls of the surgery or healthcare office.
‘Another issue here is when temporary staff or locum doctors use the information locally, whether it be in digital format or a hard copy. For instance, an email could be sent accidentally to someone outside of the healthcare organisation, fall into the wrong hands and be used for myriad malicious reasons. As well as this, there is little evidence to suggest reading copy offline is beneficial and only increases the risk of this information being leaked and stolen. Both of these are clearly caused by human error – but we are fallible, of course, and the best that can be done is to minimise these risks by hospital trusts ensuring they have the correct procedures in place,’ says Zak Suleman, Healthcare Security Specialist at Smoothwall.
The good old dongle is still the go-to device for transferring large amounts of data.
Overworked NHS employees who put data on a dongle and take it home to work on put not just the Trust at risk but also their home computer- without knowing it. With most disk drives disabled on NHS computers, the only option is to go ahead and disable USB drives on computers too.
There are 360 big hospital trusts in England. Each hospital has an average of 6000-7000 members of staff and at least 50 percent have access to tech. The number of PCs is staggering and to fix them all would cost a LOT of money and resources.
‘Building healthcare security is all about having a layered approach that needs to move with the times of the threats. Aside from ensuring spanning encryption, firewalls, web filtering and ongoing threat monitoring, NHS trusts must also keep their operating systems up to date. Yet with so many accessible devices (of which the average NHS trust might have over 2,500), this is a tough – but necessary – job.
‘Healthcare systems, in general, have been quite slow in adapting to security threats; having the most robust defence systems in place to safeguard patient data should now be a top priority,’ continues Suleman.
GDPR and NHS, an unholy communion
However, there is a bigger problem looming for the NHS, and that is the General Data Protection Rule (GDPR) coming into effect in May 2018. Currently, if staff (permanent and agency) are to have access to data, they would have received information governance training as well as signed a document saying they understand the repercussions of a data breach. This is all in accordance with the 1998 Data Protection Act and rule. The legislation specifically mentions how physical, mental and data relating to ethnicity need to be stored. It also gives the legal definition of sensitive data and information about cybersecurity requirements re. health.
The problem the NHS now has is that GDPR is very specific about consent. Informed and explicit consent is required for use of data rather than implied consent. So they have to make sure that patients are aware of where their data is stored and how it is being used and transferred. Until now, NHS Trusts have been the Information Commissioner’s Office (ICO) favourites and been fined regularly. Yet the fines have been relatively modest. The highest ever was Brighton and Sussex University Hospitals NHS Trust who were asked to pay £325,000 but were also offered an early pay discount.
Says Scott: ‘Up until now, as a public service, every Trust is expected to report breaches to the Information Commissioner’s Office but there has been no legal requirement to do so. When GDPR is enforced, the potential for fines also changes. The maximum that the Information Commissioner’s Office could fine is £500,000 whereas under GDPR there is 2% of global annual turnover and up to 4% of global turnover and so the Information Commissioner’s Office will have larger fining abilities.
‘With public sector undertakings, they (ICO) take a measured view of breaches- what was the breach, what circumstances led to it, Was it just that they were unlucky? All these questions play a role in determining the outcome of the investigation. With GDPR, these issues will still be very important.
‘The main difference from now to then will be that the burden of proof or distress will be a lot lower. The victim until now had to show significant distress or loss to get compensation. Under GDPR they only have to say ‘ I am sad that you lost my data’ to be able to make a claim and if enough people say that, the NHS Trust could well have a class action suit on their hands. This is simply not possible under the 1998 Data Protection Act which currently forms the basis of cybersecurity compliance in health care.’
It is going to be a tougher, stricter regime under GDPR
The 72- hour mandated notification period for reporting cyber breaches and attacks isn’t really going to help burgeoning healthcare trusts either. When we asked if NHS Trusts has enough money, manpower and resources to enforce GDPR, Scott said that NHS Digital have indicated that they have £4.2 billion to spend on cyber security, implementing new legislation and securing patient records by 2020. ‘As long as a reasonable proportion of it is directed to GDPR, it will go a long way. This is also an issue for the supply change and the NHS also has to look at the supply chain partners and make sure they know who the weakest links are and help them and bolster their own systems.
‘We have been speaking to the trusts to do some benchmarking to see what their GDPR readiness is. Our main questions is: are you aware of GDPR, and if yes, do you have a plan?
‘We have not had a “no” yet, that’s the good news.’
Apart from the case of GDPR giving Trust Chief Execs sleepless nights, it is also a problem that the power base is so distributed.
‘Getting something as basic as water to patients who cannot feed themselves often doesn’t work out. Can you imagine how difficult it will be for anything else that is not centrally managed to go through?’ signs off Boyd.
Image by DanBackman Apothecary