Delivering care to patients necessitates the processing of sensitive personal data, recognised as “special category” data under the General Data Protection Regulation (GDPR, Art. 9). By processing such data, an organisation inherently takes on risk that needs to be managed.
In the context of the provision of healthcare, where the outcome of unauthorised or unintended processing of patients personal data can result in serious harm, healthcare organisations need to ensure that they are taking appropriate measures to protect the data that they control.
The Irish Data Protection Commission (DPC) has put a special focus on the healthcare sector, recognising the sensitive nature of the data that healthcare organisations process. In 2018, they published a special investigation report into the hospitals sector, noting that there had been significant data security breaches in the sector during the previous decade.
In this article we look at risks faced by the healthcare sector, observe that these risks are becoming more prominent and discuss what security concerns should be considered as part of a risk management program to address cyber risk to healthcare organisations.
The COVID-19 pandemic has accelerated many events that were already in motion prior to its arrival. In the domain of healthcare we have seen this accelerate innovation in the development of mRNA vaccines to respond to the crisis. On the other side of the scale, as observed by the WHO, the pandemic has spurred a fivefold increase in cyber attacks, and it has been reported that cyber-attacks against healthcare organisations in particular have increased by 45%, more than double the increase across all other sectors. Patient data, comprised of both personal and financial data, is particularly valuable to cyber-criminals who use the information gained for identity theft, insurance fraud and unauthorised access to prescription medication.
With ransomware and phishing attacks on the rise due to motivated and well-resourced cyber criminals, the need for healthcare organisations to increase their vigilance and ability to respond to such attacks has never been more clear.
The heightened focus on the healthcare sector as a target comes at a time when the sector is in the middle of a digital transformation drive, with many healthcare providers transitioning from a traditional paper-based system to an Electronic Health Record (EHR) ecosystem. Breaches in healthcare settings often stem from unintended or unauthorised processing of a patient’s healthcare record and as the transition to electronic health record management systems continues apace, it is important to consider the potential cyber risks that are introduced by these new systems.
Another aspect of the digital transformation underway in healthcare can be observed in telehealth and the carrying out of remote work in general. This had already begun to make inroads prior to the pandemic, but has been vaulted to the forefront since its arrival, demonstrating both its utility for delivery of patient care and vulnerability to cyber-attack. Patient video consultations are here to stay, and the platforms and devices that make them possible will increasingly become the target of cyber criminals.
Addressing Cyber Risk
In order to address these risks, cyber risk management needs to be a top priority for the executive teams of healthcare organisations. Appropriate governance and resourcing needs to be in place to enable organisations to identify, manage and respond to cyber risk. A holistic approach to managing risk involving people, technology and processes is essential to developing a robust cyber security posture. In addressing cyber risk to healthcare organisations, consideration should be given to the following domains:
- Data Security and Asset Security – how assets involved in processing data are inventoried, classified (including the data itself) and managed through their lifecycle;
- Identity and Access Control – whether appropriate access and authorisation controls are in place;
- Endpoint and Systems Security – ensure appropriate management of all devices and systems that access the organisations assets;
- Application & Development Security – ensure appropriate controls are in place to protect information systems and the processes that develop those systems;
- Network Security – ensure a secure network infrastructure is in place with controls to enable threat detection and response;
- Third Party & Vendor Management – ensure a robust procurement and third party management process is in place;
- Physical Security – assess the physical and environmental security that protects the organisations assets;
- Business Resilience – ensure that robust business continuity and disaster recovery plans are in place, validated and tested; and
- Human Factor Security – people in the organisation should be recognised as a key asset in the ability to prevent, detect and respond to cyber threats. To do so, they need to be well-informed and well-equipped to deal with them.
Addressing cyber risk in healthcare settings goes hand-in-hand with good data governance and the presence of a robust data protection compliance program. Trilateral’s Data Governance and Cyber-Risk Team has significant experience supporting organisations in the healthcare sector in implementing data protection measures to ensure compliance. We offer a range of data governance services including audit and assessments, gap analysis, and compliance support services. For more information please feel free to contact our advisors, who would be more than happy to help.