Imagine: the computer system at your GP’s office has been hacked, and now a complete stranger, potentially working for a nation-state, has access to your personal medical information.
This includes your insurance records, address, national insurance number, and any financial information stored on the office computer.
It’s a nightmare scenario – but it’s more common than some realise. Two-thirds of UK hospitals suffered a data breach in 2019, and ForgeRock’s Consumer Identity Breach Report found that 51.5% of UK data breaches were in healthcare.
So why is healthcare such a target for cybercriminals? What makes it more appealing than other sectors? And crucially, what are the steps healthcare providers can take to protect and secure patient data?
Healthcare’s unique challenges
The healthcare sector has always been vulnerable to cyberattacks and attractive to cybercriminals. Not only does the NHS have access to 55 million primary care and 23 million specialist care records, but healthcare data is worth 6x more than other data types (EY values all NHS data records at around £9.6 billion annually) – a potential gold mine to malicious cyber-attackers.
Moreover, unlike breaches in other sectors, like retail, the information stolen in healthcare attacks cannot be changed once the breach is detected. You can always get a new credit card, but you’re stuck with your DNA for life.
But why is healthcare so vulnerable? The answer is two-fold. One of the contributing problems is the extent of sensitive data sharing in complex and multi-partner clinical processes. Third-party risks arise from the chain of medical partners, labs, specialists, and doctors’ surgeries through whose hands patient data has to pass in the course of diagnosis and treatment – each of whom represents a potential vector for malicious attacks.
The second reason is human. Often healthcare data breaches don’t have a technical entry point, but instead involve people being exploited – for example, targeted phishing attacks on healthcare professionals to gain access to legitimate credentials or to plant malware. In 2019, the NHS blocked nearly 12,000 phishing attacks against their systems a day – and this threat level is only rising.
COVID-19 has made a bad situation worse
One of the consequences of the ongoing COVID-19 pandemic is an increase in the number of cyberattacks levied at healthcare organisations.
Nefarious hackers have singled out healthcare providers and medical research facilities during the pandemic in the hopes of getting their hands on valuable intellectual property and vaccine research. From the British government applying special protections on COVID-19 research labs to London-based testing centres falling victim to ransomware attacks, the threat vectors the healthcare sector are facing continues to increase.
What’s more, these cyberattacks are going beyond the traditional opportunistic attempts to steal patients’ data and infect healthcare computer systems with ransomware. Now, many attacks appear to come from foreign governments, such as Russian and China, who are targeting the healthcare sector during the pandemic, purportedly for foreign policy reasons such as stealing valuable virus research.
So the healthcare sector faces unique and growing cybersecurity challenges, but there are practical measures that healthcare organisations must take to protect themselves, and they are rooted in managing user identity.
The first step is to adopt a ‘zero-trust approach’, meaning that every single access request by a user should require their identity to be appropriately verified. Of course, to avoid users having to enter their username/password over and over again, this approach should be risk-weighted so that less important access requires less interventionist verification, for instance, using contextual signals like the location of the user or device characteristics. There is no longer a trade-off to be made between security and convenience – access to data and systems can be easy, simple and safe.
This approach allows an organisation to always answer yes to: “Am I appropriately sure this person is who they say they are?” It is a philosophy which should be applied to internal and external users: a crucial fact given healthcare data’s risk profile.
The second step for healthcare organisations is to consider eliminating the standard username/password authentication method and embrace modern, intelligent authentication. This delivers a combination of real-time context-based authentication and authorisation that seamlessly provide the appropriate level of friction based on the actions being taken by a service user.
According to First Contact, 51% of people use the same passwords for multiple work and personal accounts because they can’t remember separate login details for all their accounts. This has led to stolen credentials being the cause of 80% of data breaches. Transitioning away from a username/password model is, therefore, crucial to secure and protect patient data and deliver a better user experience. We’re helping our customers do exactly that with ForgeRock Go.
We also think there’s a greater role for the Information Commissioner’s Office (ICO) in healthcare data breach prevention. Even though over the last year ICO has used education and enforcement to reduce the overall number of data breaches, there is still a lack of granular data available to the public and industry. We’d like to see ICO fill this data gap so healthcare security professionals can better research and understand the threat they’re facing.
An apple a day keeps the breaches away
As the world continues to wait for a COVID-19 vaccine, the data breach threat level to healthcare organisations will not be easing up any time soon. It’s imperative that the healthcare sector implements steps to protect itself from human exploitation and technical vulnerabilities that allow cyberattackers entry into their systems.
By combining a zero-trust methodology with modern authentication capabilities, healthcare organisations can go a long way towards achieving that goal – and preventing more people facing the nightmare scenario of having their healthcare data stolen.
About the Author
Nick Caley, VP of UK & Ireland, at ForgeRock. ForgeRock, the leader in digital identity, delivers modern and comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.
Featured image: ©Igor Stevanovic