by Bharat Mistry
Regulator the US Food and Drug Administration (FDA) has just released new security guidance for medical device manufacturers as part of a major push to improve information security in the healthcare sector there. With its recommendations to follow industry frameworks like NIST, improve information sharing and adopt best practices around vulnerability disclosures, it’s a long overdue and positive step from the agency. So what of the UK’s healthcare sector?
With the EU General Data Protection Regulation (GDPR) fast approaching, I’m afraid to say things are still far from where they should be. Healthcare is by a country mile the worst offender when it comes to data security incidents. It’s time that changed.
The worst offender
The NHS has a problem. According to privacy watchdog the Information Commissioner’s Office (ICO), there were 278 data security incidents in the sector from July-September 2015. That’s over four times as many as the next worst offender, local government (60) and representing around half of all incidents brought to the ICO’s attention. Although the high number can partly be explained by the decision of the NHS recently to mandate the reporting of breach incidents, as well as the sheer size of the sector, there’s more at play here.
Like many organisations, the NHS is struggling to adequately secure a hotchpotch of disparate IT systems – some of them mission critical and running outdated OSes. Modern virtual and cloud environments and connected IoT devices like “smart” drug infusion pumps have only increased the attack surface even more. As have the increasing use of mobile devices and initiatives such as Care.data, which looks to capture and share even more data with the aim of improving patient care. And all this comes in the face of swingeing budget cuts.
While industries like retail and banking have traditionally been the worst hit by cyber attacks, cybercriminals are increasingly viewing healthcare data as a valuable commodity to trade on the black market. The kind of information held by the NHS is highly sensitive and could be used extremely effectively by scammers to commit identity fraud, or even blackmail victims. There are also rumblings in the US that nation state actors have been involved in some of the big name breaches there. That’s not to mention the risk of accidental loss that can arise from poor data management.
Preparing for the EU GDPR
The implications for breached organisations are stark. Industry fines, clean-up and remediation costs, and potential legal ramifications are all part and parcel of the cost of a data breach these days. What’s more, when the EU GDPR comes around there’ll be a requirement to notify any breach within 72 hours; potentially crippling fines; the hiring of mandatory Data Protection Officers; and much more to keep public sector IT managers busy.
In light of this increasingly unforgiving regulatory environment, and the growing internal and external threat to healthcare organisations, Trend Micro stresses the need for:
- Better staff education around good data management
- Clear policies related to security, privacy and data management
- Implementation of technologies to reduce the risk of data breaches, including:
- Comprehensive endpoint security, incl. mobile device security
- Virtual and cloud-ready security technologies like Deep Security
- Targeted attack and ‘APT-hunting’ tools like Deep Discovery
- Integrity monitoring and log inspection to improve compliance and spot sophisticated attacks
- Virtual patching to shield systems from latest threats
- Strong encryption to keep data secure even if lost or stolen
- A provider who can offer a single pane of glass to manage security across physical, virtual, cloud and hybrid environments