Cybercrime costs the UK several billion pounds per year. Indeed, a recent government report showed that 46% of all businesses identified at least one cyber attack in the last year, with 74% of directors regarding cyber security as a high priority issue for them.
This is a particular problem in healthcare, with a number of high profile breeches earlier this year in the industry. I wrote earlier this year about a study from Michigan State University, which found around 1,800 large data breaches in patient information over a seven-year period in the United States alone.
“Our findings underscore the critical need for increased data protection in the health care industry,” the authors say. “While the law requires health care professionals and systems to cross-share patient data, the more people who can access data, the less secure it is.”
A recent paper has mixed messages for the sector, for whilst it provides some strategies that can be deployed to shore up security, the authors also suggest that many of them may be impossible to implement.
“There are things we can do to reduce the risk but it is very hard to perfect IT security, especially given the needs of modern hospital systems to have things moving between places and increasing demand for patient-facing access,” the authors say. “To some extent, these attacks are inevitable.”
Mitigating the risk
The authors outline a number of steps that IT teams can undertake to try and prevent attacks. These include workforce training, retaining cybersecurity expertise, patching operating systems, and reporting attacks promptly to authorities. They also recommend more strategic, nationwide steps, even though those may be harder to accomplish.
It’s crucial that government efforts to improve security are coordinated, as too often responses have been fragmented and disjointed. This was certainly the case after the recent WannaCry attack, where the response was split between many different agencies.
This could involve the creation of a Joint Commission, which would have the ability to accredit hospitals according to their data security standards. This might help to ensure the highest standards are upheld.
It’s particularly prickly in the case of ransomware attacks, for whereas it might be easy to suggest CIOs act in unison and openly state they will not pay any ransom requests, when lives are on the line it’s easy to imagine pressure mounting and their hands being forced by patients.
“If I were a hospital CEO, it’s one thing to make this pledge ex ante, but it’s another thing when you have a population of patients who need health care to stick by it,” the authors say.
Data governance is an issue of growing importance in the healthcare industry, not only in terms of data security but also in terms of good management of data that is being used to underpin the numerous machine learning applications entering the sector.
It is therefore, an issue that health officials and hospital managers will need to get to grips with sooner rather than later.