The widespread publicity attracted from the recent cyber-attack on Talk Talk will have many organisations considering whether their cyber security measures are sufficient enough to protect the data they hold. Some of the most valuable personal details are those relating to healthcare, meaning organisations holding such details are of the highest interest to hackers similar to those who attacked Talk Talk.
What makes health care records so attractive?
The problem cyber criminals have when they steal credit card information is the short usage lifespan associated with this data. Once someone notices their credit card information has been stolen they will cancel this card and prevent the hackers from continuing to use the card any further. The value of medical information comes from the personally identifiable data found amongst it that can be used over and over by the hackers to continue to open new credit card accounts. This information also provides a level of valuable intelligence about individuals that can then be utilised by the hackers for blackmail purposes, particularly if the information relates to a public figure. Reuters have stated that for these reasons healthcare information is worth up to ten times more on the black market than credit card information, therefore a less successful attack in terms of volume of information stolen could be more profitable for hackers.
What is the likelihood of a large scale attack?
High. A recent report conducted by KPMG in the US stated that 81% of healthcare executives found their organisations have faced at least one cyber-attack in the last two years and 13% said they are targeted at least once a day. Although there haven't been any large scale successful attacks in the UK as yet, there have been recent successful attacks in the US. Partners Health Care, a Massachusetts based network of hospitals and medical centres, reported that a phishing attack in November 2014 exposed the group's email accounts. Some of those emails comprised "names, addresses, dates of birth, phone numbers, social security numbers, clinical information, medical records and insurance information," with 3,300 patients affected.
Another of the most publicised cyber-attacks to occur in the US was conducted against health insurance provider Anthem. The attack this year resulted in the medical information of 37.5 million people ending up in the hands of the hackers. The event led to fears that even the details of non-customers who were members of particular plans in which Anthem was involved, may also have had their records accessed.
What can be done to protect your organisation?
With such large scale attacks being perpetuated in the US, UK healthcare providers must ensure that they have processes in place to ensure the data that they hold is as well protected as possible. Although there are undoubtedly costs involved in the development and maintenance of robust cyber security methods, these should be considered long term savings against the cost of any breach which would include fines, reputational damage and the costs associated with any damage limitation programme. It is worth also noting that a new national service is planned to go live in January 2016 that will provide expert advice and guidance on cyber security threats and best practice to the NHS and other health care organisations. CareCERT will be run by the Health and Social Care Information Centre. The project, funded by the Cabinet Office of National Cyber Security Programme, is designed to assist cyber security in the healthcare sector.
This is the first in a series of insights from MacRoberts focusing on the issues that health and social care providers are facing and will face surrounding data protection. These insights will principally focus on the way that technological advances and the growth of digital healthcare have increased the threats for providers in this area.
MacRoberts has expertise in and advises on a wide range of data protection law, particularly the obligations on organisations in relation to personal data and security measures. For more information, please contact Valerie Surgenor.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
