Chris Wysopal, co-founder, CISO and CTO at Veracode discusses why the health service needs to celebrate its cyber-successes if it’s to succeed in building trust in digitised services.
The British government is actively pursuing its ‘digital by default’ programme across many parts of the public sector.
Despite the obvious benefits of digitisation, the question of data security has consistently proved a challenge. In no sector is this more applicable than in health, where the government’s Care.data programme continues to struggle to get off the ground.
In December, the National Health Service (NHS) Watchdog raised 27 questions about the programme, challenging issues such as how GPs would meet their legal responsibilities to comply with the Data Protection Act, which will need to be addressed before the programme is implemented.
The delays in national digitisation programmes are not surprising as the threat to sensitive patient data becomes increasingly clear. The attack by Chinese cybermilitary units on the American healthcare provider, Community Health Systems Inc., demonstrates that cyberattackers are actively targeting healthcare providers. This attack, in which the personal data of 4.5 million patients was stolen, was in a bid to steal personal health information for sale on the dark web.
The 'enemy within'
Data security in healthcare goes beyond even the challenge of embedding it into large-scale digitisation schemes, like Care.data. The NHS is also facing a threat from inside the organisation - often from employee actions which are completely unintentional.
One example of this is in the rise of mobile devices in the workplace. Mobile devices which are connected to the network can be of enormous value to health workers. For example, hospital workers benefit greatly from having a wealth of patient and organisational information at their fingertips.
Delivering critical patient information to doctors and nurses in real-time could be a matter of life or death in some extreme circumstances. This requires a security model where it is easy to access patient data so patient privacy must be enforced by auditing access and detecting anomalous access.
However, many of these employees don’t understand the risk posed to that highly sensitive data by downloading a fake ‘Flappy Bird’ app onto such a device. The use of mobile devices like laptops, smartphones and tablets have become indispensable in nearly all sectors of work, whether provided by employers, Bring Your Own Device (BYOD) or Choose Your Own Device (CYOD).
However, with the benefits of mobile working becomes a new attack vector for cyber criminals. With cyberattackers increasingly targeting vulnerabilities in mobile applications, it is essential that health trusts and hospitals are taking the necessary steps to secure this expanded perimeter.
The "zero trust" approach
The health sector is becoming increasingly responsive to the threat that cyber attackers pose. Veracode has found evidence that some NHS hospitals and trusts are not only significantly increasing their cybersecurity spend, they are also spending it intelligently to mitigate new and emerging risks.
Some are taking a “zero trust” approach and building applications and systems that don’t inherently trust people and devices based on where they are on the network.
Yeovil District Hospital NHS Foundation Trust, for example, has been making significant investments to protect patient information. As part of the fivefold increase in its cyber-security spending over the past two years, over £54,000 has been invested in mobile device management (MDM) technology since 2013.
MDM policies reduce the risk of data breaches by preventing malicious apps from being downloaded onto mobile devices, thereby helping to prevent the theft of sensitive patient data.
It’s encouraging to see hospitals such as Yeovil NHS Trust, move away from the ‘all we need is a firewall’ mentality, and into the age of thoughtful cybersecurity investments that address new attack vectors such as mobile applications.
It is important that these practices are recognised and replicated across the industry. We need beacons of best practice to show that cybersecurity measures are a worthy investment that securely enables digital innovation, helping over-stretched staff and improving the overall patient experience.
Care.data has a challenge ahead – not only to answer all the queries of the NHS Watchdog – but also to convince the wider public that it can be trusted with protecting their data.
With the on-going cycle of cyberattacks by organised criminals and nation-states, it’s never been more important to celebrate NHS trusts and hospitals who are making the right decisions to keep their data safe.
Demonstrating that the NHS does understand the new threat landscape, and is acting thoughtfully, is the first step in enabling all of us to participate and trust in the new age of digital healthcare.
The government is calling for patients to take a proactive role in managing their healthcare and it is this same proactive approach from the NHS that will protect our patients’ data from the threat of cyber-attacks.