Delivering care to patients necessitates the processing of sensitive personal data, recognised as “special category” data under the General Data Protection Regulation (GDPR, Art. 9). By processing such data, an organisation inherently takes on risk that needs to be managed.
In the context of the provision of healthcare, where the outcome of unauthorised or unintended processing of patients personal data can result in serious harm, healthcare organisations need to ensure that they are taking appropriate measures to protect the data that they control.
The Irish Data Protection Commission (DPC) has put a special focus on the healthcare sector, recognising the sensitive nature of the data that healthcare organisations process. In 2018, they conducted a seminal, special investigation into the hospitals sector, which reported that there was a history of significant data security breaches in the sector.
In this article we look at risks faced by the healthcare sector, observe that these risks are on the increase and what security concerns should be considered as part of a risk management program to address cyber risk to healthcare organisations.
Acceleration
The COVID-19 pandemic accelerated many events that were already in motion prior to its arrival. In healthcare we saw this accelerate innovation in the development of mRNA vaccines to respond to the crisis. On the other side of the scale, as observed by the WHO, the pandemic spurred a fivefold increase in cyber attacks, and it has been reported that cyber-attacks against healthcare organisations in particular increased by 45%, more than double the increase across all other sectors. Patient data is particularly valuable to cyber-criminals who use the information gained for identity theft, insurance fraud and unauthorised access to prescription medication.
With ransomware and phishing attacks on the rise due to motivated and well-resourced cyber criminals, the need for healthcare organisations to increase their vigilance and ability to respond to such attacks has never been more clear.
Digital Transformation
The heightened focus on the healthcare sector as a target comes at a time when the sector is in the middle of a digital transformation drive, with many healthcare providers transitioning from a traditional paper-based system to an Electronic Health Record (EHR) ecosystem. Breaches in healthcare settings often stem from unintended or unauthorised processing of a patient’s healthcare record and as the transition to electronic health record management systems continues apace, how the risks to patient records are addressed needs to evolve to consider the cyber risk that is introduced by these new systems.
Another aspect of the digital transformation underway in healthcare can be observed in telehealth and the carrying out of remote work in general. This had already begun to make inroads prior to the pandemic, but has been vaulted to the fore since its arrival, demonstrating both its utility for delivery of patient care and vulnerability to cyber-attack. Patient video consultations are here to stay, and the platforms and devices that make them possible will increasingly become the target of cyber criminals.
Addressing Cyber Risk
In order to address these risks, cyber risk management needs to be a top priority for the executive teams of healthcare organisations. Appropriate governance and resourcing needs to be in place to enable organisations to identify, manage and respond to cyber risk. A holistic approach to managing risk involving people, technology and processes is essential to developing a robust cyber security posture. In addressing cyber risk to healthcare organisations, consideration should be given to the following domains:
- Data Security and Asset Security – how assets involved in processing data are inventoried, classified (including the data itself) and managed through their lifecycle;
- Identity and Access Control – whether appropriate access and authorisation controls are in place;
- Endpoint and Systems Security – ensure appropriate management of all devices and systems that access the organisations assets;
- Application & Development Security – ensure appropriate controls are in place to protect information systems and the processes that develop those systems;
- Network Security – ensure a secure network infrastructure is in place with controls to enable threat detection and response;
- Third Party & Vendor Management – ensure a robust procurement and third party management process is in place;
- Physical Security – assess the physical and environmental security that protects the organisations assets;
- Business Resilience – ensure that robust business continuity and disaster recovery plans are in place, validated and tested; and
- Human Factor Security – people in the organisation should be recognised as a key asset in the ability to prevent, detect and respond to cyber threats. To do so, they need to be well-informed and well-equipped to deal with them.
Integrated approach
Addressing cyber risk in healthcare settings goes hand-in-hand with good data governance and the presence of a robust data protection compliance program. With expertise in these cross-cutting concerns, Trilateral’s Data Protection and Cyber Risk team work with healthcare clients to develop an integrated approach to addressing these needs. Get in touch with our advisors today to see how we can help you.
