With the benefits of digital technology at their fingertips, hospitals and other healthcare establishments face pressures to make their patients’ information easier to share amongst other health professionals and services. An added, and substantial, challenge to this is the importance of maintaining security in an increasingly interconnected workspace. Coupled with this new information-sharing paradigm is the growing use of multiple devices to access records, from mobile phones and tablets to multi-function printers. Without proper steps taken to ensure security, healthcare organisations and the patients that depend on them can fall prey to malevolent cyber forces.
Cyber crime – What’s the risk?
Aside from generic threats such as that posed by Wannacry, which effectively held to ransom the data of many businesses globally across many different sectors, healthcare organisations also face the risk of security breaches that target them specifically. According to a report by the Independent, stolen medical information can be many times more valuable to criminals than financial data. “Hackers can sell large batches of [patient data] for profit on the black market,” security expert Jean-Frederic Karcher told the publication. He went on to say that, “medical information can be worth ten times more than credit card numbers on the deep web… fraudsters can use this data to create fake IDs to buy medical equipment or drugs.”
With this in mind, healthcare professionals need to exercise extra vigilance when it comes to electronic patient records, antivirus software and threats posed by hackers, malware and ransomware. In the case of the recent security breach which encrypted the data of NHS hospitals and surgeries across the country, and at least 15 other healthcare organisations, it was a simple flaw within the Windows XP operating system which was exploited by hackers seeking financial gain.
While such security loopholes in software and operating systems are relatively commonplace and are regularly plugged by developers via updates and patches, in this instance there was a substantial human factor in play. Though the attack took place in May, affecting more than 300,000 computers globally, Microsoft had released a patch to fix the vulnerability in March. The problem was, many people hadn’t installed the patch, and so one lesson to be learned here is that you should always keep your software up to date and install any patches sent by the vendor.
A rude awakening on cyber security
Brad Smith, the president of Microsoft, described the attack as a ‘wake up call’ for governments and organisations around the world, and though Theresa May stated at the time that there is no evidence that electronic patient records were compromised, major disruptions continued during the week after the breach. Fortunately, in this instance, it was possible to remove the virus using anti-virus software and by carrying out manual removal in safe mode, but this may not be the case for future attacks. With this in mind, the best defence is robust prevention. The following steps are recommended for all healthcare organisations, and may well prevent your systems and data falling foul of hackers, malware, ransomware and other forms of cyber crime.
- Always install updates and patches – Software vendors and other IT professionals regularly identify security flaws and release updates which will fix them. However, it is up to all users/ IT administrators to ensure that these patches are applied. Where possible, set your software to update automatically.
- Avoid suspicious emails – Be wary of any unexpected or unusual emails, even if they appear to be from a known source, and never open an attachment without knowing what it is and whether it comes from a trusted source.
- Secure and encrypt your files – Protect your data in the event of a security breach by adding encryption and passwords via software such as Nuance’s Power PDF. Power PDF provides 128-bit and 256-bit AES encryption, with password protection and adjustable permissions.