The nation is rightly proud of the incredible response by the NHS to the Covid-19 pandemic. We continue to see superhuman logistical efforts to put facilities and systems in place to treat patients, as well as the immense daily courage of frontline staff who are caring for victims of the virus.
Away from the patient-facing front line, staff in departments from finance and HR to research laboratories and pathology worked round the clock to keep the NHS operating at a sustained high-performance level as the fast-paced crisis unfolded. Many are still working from home as they follow guidelines to slow the spread of the virus. For most this is unfamiliar; healthcare is traditionally a very location-centric industry, physically focused around patient centres.
Efficient communications and sharing data is a cornerstone of informing the virus response strategy and keeping the NHS and other private healthcare settings, such as care homes, operational. We’ve seen this importance rightly reflected in guidance from the Information Commissioner’s Office, one of which states: “Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.” Health and Social Care Secretary Matt Hancock has implemented a six-month order for healthcare organisations to share patient data to fight coronavirus, above and beyond normal data sharing practices. However, the message from the Government is also clear when it comes to data protection: “We would expect any organisation to share information within legal requirements set out under GDPR.”
Inevitably, there is risk to this data as its shared across national and local NHS bodies, with arms-length government organisations, and local authorities, as well as with private healthcare providers. But where do the most common risks lie and what does this mean for the teams implementing efficient yet secure data sharing practices?
Top risks to be aware of and their causes
As part of the 2020 Egress Insider Breach survey, we asked 1000 employees and 105 IT leaders in the healthcare sector about their views on data security and the reasons breaches occur. Of the workers that had accidentally caused data breaches in the past year, the instances were attributed to the top three risk vectors:
- Sending information to the wrong person, for example via email (37 per cent)
- Clicking on a phishing link (37 per cent)
- Responding to a spear phishing email (11 per cent)
When we asked why they had accidentally breached data, some common causes arose:
- When we asked why they had accidentally breached data, some common causes arose:
- 20 per cent said it was because they were using a mobile device
- 20 per cent put it down to rushing
- 10 per cent attributed their mistake to tiredness
All these factors are only compounded by a pandemic. Frontline healthcare staff are working round the clock to provide vital, life-saving services, and the use of mobile devices has grown exponentially for those that can work remotely.
But these insights shouldn’t inspire a sense of inevitability about data breaches or prompt fear or uncertainty. In fact, they can help inform healthcare organisations’ responses to the current data sharing environment.
Protecting data shared via email
We know that sharing patient data is of crucial importance right now, and ideally security should just enhance what needs to be done without getting in the way but, all the while, protecting sensitive data.
When it comes to email, most NHS employees have access to NHSmail, a secure email solution for protecting patient data. Egress Protect was adopted by NHS Digital as the email encryption solution for NHSmail in March this year. NHSmail enables NHS employees to send encrypted emails to insecure domains, such as patient email addresses and other areas of the health and care sector, and recipients can read and reply safely to encrypted emails.
When sharing healthcare data via NHSmail or any other tool, we would encourage users to ask themselves:
- Is it appropriate to share the level of information with the recipient? As mentioned before, the Government is more flexible about what can be shared but there are still limits.
- Are the recipients authorised to access the information I’m sharing? If they’re not, this data is at risk of a breach.
- If I’m not using NHSmail, can I ensure no other unauthorised recipient can access the data? I.e. is the system secure from external attack or can an intended recipient take unintended actions with the data?
Responding to phishing and spear-phishing – cybercriminals cash in on chaos
Our research found phishing and spear-phishing together are the most common causes of accidental data breaches in the healthcare sector. Sadly, the Covid-19 crisis is likely to exacerbate this problem as disruption creates the ideal environment for phishing campaigns – despite claims by some cybercriminals that they’re not targeting healthcare workers for now.
NHS Trusts have been granted access to large central emergency funds and finance, and procurement teams need to buy essential items as fast as possible. Similarly, private sector healthcare settings, such as care homes, are also having to act fast to purchase scarce equipment as soon as it becomes available. As a result, verification processes may be shortened and rapidly digitised in order to meet demand. To add to the pressure on finance departments, the crisis came at the financial year-end, when many are working long hours in any case to finalise accounts.
This won’t have gone unnoticed by cybercriminals; we will see an uptick in phishing and spear-phishing attempts aiming to take advantage of under-pressure procurement and finance teams in the hope that they’ll make mistakes and allow criminals to get their hands on those emergency funds.
So what practical advice can help healthcare workers at this time?
- Challenge everything. Time is obviously a scarce resource for healthcare workers right now – but it’s definitely worth verifying anything unexpected in your inbox, including invites to events, promises of PPE, and financial offers.
- Hover over links before you click them. In fraudulent emails, the actual URL will take you somewhere else than you intended to go – so, for example, if you receive an email from HMRC, hover over the links to ensure it takes you where you expect.
- Tell someone. If you’re worried about an incident, it’s far better to report it to your internal IT or security team, or even to your manager, and have it dealt with quickly.
What does the future look like?
At the time of writing, the Covid-19 pandemic continues but at some point in future, it will be appropriate for the security community and healthcare organisations to reflect about the risks faced and solutions implemented at this time to develop our future responses.
Everything discussed above has been done through using the lens of ‘human layer security’ – which is about making sure individuals are able to work productively and securely. Using AI and machine learning technologies, it is now possible to identify the risk points in employees working processes and ensure that there is a safety net to support them when they are vulnerable to tiredness, rushing and stress, preventing them from making mistakes. This includes, for example, detecting when emails and attachments might be about to be sent to incorrect recipients, or alerting a user to the fact they’re replying to a fraudulent email. The implications of this technology for healthcare is incredible – not just at times of crisis, but also to help them in their everyday tasks ‘when the world returns to normal’. Healthcare workers are ‘always on’, providing crucial services at all hours of the day and night; they deserve security that’s right there with them, all the time.
Tony Pepper, CEO and Co-Founder, Egress