Are healthcare organisations addressing compliance regulation properly?

Today’s cybercriminals place more value on patient healthcare data than on credit card data — and its attraction is evident through the fact that cybercriminals are mercilessly targeting healthcare organisations. In 2014, 42.5 per cent of the total number of breaches identified by the Identity Theft Resource Center occurred in the medical and healthcare sector.

So at a time when many healthcare organisations are shifting medical records to an electronic form, the challenge of securing systems, cloud storage, appropriate access and confidentiality is getting harder — all within an environment where immediate access to data is literally life and death.

It’s a challenge no-one’s envious of, especially with compliance regulation getting stricter every year and especially since the Information Commissioner’s Office (ICO), which enforces the Data Protection Act, was given greater authority by the UK government last year to audit NHS organisations’ data security.

Given increasing compliance requirements, we assessed how much attention healthcare organisations are paying to the standards and regulations set by the NHS and the ICO. The research uncovered some quite truly shocking insights into the security, which is no doubt putting sensitive data at risk.

Here’s what we found:

Network access

NHS policy states that user actions on a network must be identifiable to an individual. But our research shows that 44 per cent of healthcare workers in the UK do not have a unique ID to log on to the network. Alarmingly still, we found that 36 per cent of healthcare organisations in the UK do not restrict access to networks behind any kind password at all — unique ID or otherwise!

Logging off

NHS Scotland’s security policy stipulates that healthcare organisations should never leave the logoff procedure to the user — simply because employees are human and may forget to log off from time to time. However just 28 per cent of UK healthcare workers are automatically logged off their network after being inactive for a period of time.

Access to patient data

Under section 7 of the Data Protection Act 1998, responsibility for access control lies with the ‘data controller’ who essentially is the authorised entity that determines the purpose where and how various employees process personal data — highlighting the need for policies and procedures with regard to access control. Our research found, however, that a whopping 69 per cent of UK healthcare workers have access to patient data.

Training

NHS England, Scotland and Wales each state that healthcare organisations must implement a security awareness and training program for all members of the workforce, including management. Given these requirements, it was surprising to see in our research of healthcare organisations in the UK, 48 per cent of employees do not receive any security training whatsoever.

Training doesn’t stop at new recruits though. In the UK, NHS security policies specifically state that information governance training is mandatory, and all staff must partake in annual online information governance training. However, just 41 per cent of healthcare organisations in the UK offer training to employees who no longer fall under the category of 'new recruits'.

The Information Commissioner, for one, slammed the NHS’ approach to security training by highlighting the fact that the NHS is one of the worst performers. His opinions are hardly surprising since just 23 per cent of UK IT professionals believe senior management take any responsibility for security — something that simply must change.

Policies and procedures

Presenting a security policy to all new starters is imperative and formal agreement to a policy is a requirement in the NHS in England and Scotland. However, only 31 per cent of healthcare employees admitted seeing a security policy when starting their job, let alone signing one.

Another procedural requirement for any organisation operating under the NHS policies are regular security audits. Just 26 per cent of respondents are aware their organisation does regular security audits. While many of these audits may happen under the radar, healthcare organisations must do more to be more transparent about when audits are happening. Transparent auditing reminds employees to be vigilant, and can even deter any potentially malicious activity.

Moving to a new organisation

NHS Scotland’s security policy highlights the importance of an employee-exit process: 'When an employee terminates employment with the employing health board, all property must be returned.' However, just 40 per cent of UK healthcare employees overall say that their organisation switches off network access for ex-employees.

Asking those who have left a job in the same sector within the last five years, a worrying 27 per cent in UK say they continued to have access to the previous employer’s network. Only 39 per cent said their user account underwent a formal de-registration process. Naturally, if organisations do not have unique user IDs as described in previous sections, it is very difficult to enforce a deregistration process of them. But if organisations meet this basic requirement, a formal exit process should be simple, and is an extremely important measure in ensuring ex-employees (who are more likely to have motivation to take malicious action) don’t continue to have access to your sensitive data.

François Amigorena, CEO, IS Decisions