UK healthcare businesses must learn lessons from US cyber hacks

Tony Yeaman, national head of healthcare; and Ed Lewis, insurance and reinsurance partner at Weightmans discuss how NHS trusts can mitigate the threat of cyber attacks

Ed Lewis

Experts from Weightmans discuss how NHS trusts can protect their organisations from cyber attacks and data breaches

We have recently seen news of yet another health insurer raided by cybercriminals for information about its customers.

US-based Carefirst, a Blue Cross and Blue Shield company, said about one million personal records were stolen following a previously-undetected breach of its computer network last June. The point of entry for hackers was most likely created by malware hidden in a rogue email attachment.

To make matters worse, the trend of attacks on the healthcare sector is rising rapidly - over 100 million private healthcare customers have now fallen victim to identity theft in the US alone in the last 12 months – and that’s just reported thefts.

Mitigating the risk of a future data breach is a complex issue and we can’t prescribe a blueprint for change. What’s important to remember, though, is that the threat is constantly evolving and all computer systems connected to the internet or external email are vulnerable

This problem is not just restricted to the US, either. It is a global problem and it is vital healthcare companies in the UK take all steps within their power to try and stop these attacks from happening, and, if they do happen, restrict the impact as much as possible.

The first question to ask is why is this happening? After all, surely cybercriminals aren’t interested in repeat prescriptions?

It’s simple. Health records of any description often comprise a wealth of valuable information: names, birthdays, national insurance numbers, home and email addresses, employer and income data, not to mention credit card details insurance data. Crooks looking to commit fraud will pay handsomely for it. And, of course, this means the market for those willing to steal it in the first place is equally lucrative.

We haven’t yet seen data theft in the UK healthcare sector of US proportions, but the potential for it is obvious.

Tony Yeaman

As Carefirst’s story demonstrates, medical identity theft often goes undetected for lengthy periods, giving criminals months to exploit the records they steal. And despite positive efforts to improve standards here in the UK, too often old and poorly-protected IT systems remain commonplace. So a perfect storm then.

And what about the legal implications of a data breach?

At the moment the US imposes far stricter rules on organisations suffering a data breach. Unlike here in the UK, in the US it’s mandatory upon discovering a breach to notify everyone whose records have been, or are suspected may have been compromised. The costs of notification alone can therefore be crippling, which, in turn, makes cyber insurance an essential purchase. But it could soon be all change in the UK, with an EU Directive potentially set to herald notification obligations similar to those in the US here in the next couple of years.

Then, of course, there is always the risk of a civil action by an individual suffering loss or a breach of privacy as a result of an organisation losing personal details with which it was entrusted. Such actions have limitless potential, subject to the usual rules of causation.

We haven’t yet seen data theft in the UK healthcare sector of US proportions, but the potential for it is obvious

Regulatory sanctions also weigh in the balance. The Data Protection Act prescribes key principles of information security by which all organisations controlling or processing personal details are bound to comply. In the event of non-compliance the Information Commissioner’s Office (ICO) has the power to impose fines of up to £500,000. But - beware – that same EU Directive mentioned earlier is also a stalking horse for a new regulatory power to impose fines on any organisation suffering a data breach of up to 5% of its annual global turnover, which makes the ICO’s current powers appear rather tame by comparison.

The ICO has been prepared to use these powers, Brighton and Sussex University Hospitals NHS Trust has been fined £325,000 due to the incorrect disposal of hard drives containing sensitive personal medical data. In other cases, the ICO has been prepared not to impose fines, but instead to accept detailed undertakings from the chief executives of Trusts to take steps to improve data security or data processing contracts with third parties. Oxford Health NHS Foundation Trust has recently agreed to such an undertaking. This is not a soft option and often involves detailed follow up assessments by the ICO, sometimes with further prescribed actions, and/or future audits. These actions have significant financial, reputational and managerial consequences.

There are also the hidden costs of a data breach to bear in mind. These include the costs of identifying how the breach occurred and then making sure it doesn’t happen again. They will often involve the costs of restoring or recreating stolen records as well. On both counts the time and expense can be very substantial. Don’t forget either the expense of mitigating reputational harm – winning customers is hard enough, but stopping them walking away or finding new ones after losing public trust can be game-changing and, therefore, a dedicated PR campaign is often essential.

Cybercriminals look for and exploit the weakest link, and all too often sadly it’s not the technology itself, but rather human error that creates the opportunity for data theft to occur in the first place

Mitigating the risk of a future data breach is a complex issue and we can’t prescribe a blueprint for change in this article. What’s important to remember though is that the threat is constantly evolving and all computer systems connected to the internet or external email are vulnerable. A continuous effort to counter that threat is therefore required to keep pace – in short cyber safety needs to become part of an organisation’s culture and not be seen merely as a back-office IT issue.

Not only is daily threat detection and monitoring vital, so too is governance of all staff and their use of IT and mobile devices like smartphones. Cybercriminals look for and exploit the weakest link, and all too often sadly it’s not the technology itself, but rather human error that creates the opportunity for data theft to occur in the first place.

Health provider Boards need to be very aware of the risks posed to their organisation’s data, the massive implications it can have for their organisations both financial and reputational, and the need to demonstrate under the new regulatory regime that they are well governed and led across all domains including data security.

Companies