The WannaCry attack that happened in May 2017 is still a painful memory for the IT profession. It wasn’t “just” the havoc that it caused or the lives it put at risk, or the fact that it was entirely preventable.
It was and is the knowledge that the attack could have been so much worse. The WannaCry attack was all about carnage; it was not about data theft in its many and various forms (e.g. including ransomware attacks where the victim has to pay to retrieve their data).
This is, or should be, a major concern for anyone involved in healthcare.
Blog Contents:
How can you keep your patients data safe?
Protecting data in the healthcare industry isn’t straight forward and businesses must ensure that this data is secure and inaccessible to external threats. GDPR compliance is critical in this industry and noncompliance can have severe impacts to businesses, such as hefty penalties, fines and a tarnished reputation.
Patient information may be accessed by different people, however it is important to ensure that only the people with access can view patient data and medical histories. Anyone viewing data who doesn’t have authority to do so is a breach of GDPR protocol and could result in data leaks if data is mishandled or misused.
To keep patients data safe and secure at all times, here are our best practices:
- Educate staff on the importance of data security and the impact of data leaks
- Allow data access to authorised personnel only
- Log and monitor data access, also review this frequently
- Encrypt data on all devices, including mobile devices that may be used remotely
- Use off site document storage to ensure data is secure and out the way of unauthorised staff
- Create digital copies of documents for quick and easy access by those who are authorised
- Dispose of documents by shredding, this makes recreation virtually impossible
- When reviewing or updating data access policies, notify and retrain staff so they are aware of new changes
Staff education is the most important factor to consider when keeping patient data safe and secure. Human error can often happen, but this can have a disastrous impact. Ensuring that staff are aware of GDPR policies, what to do and the risks of data landing in the wrong hands will help staff make smart decisions and use appropriate caution.
Alongside this, only allowing data access to the appropriate staff such as senior staff can reduce the risks of patient’s data being shared with external threats. You may want to also consider how staff can access data and implement access control measures such as passwords, pin numbers and key cards, this can be applied to accessing both digital and physical documents.
Secure offsite document storage is also a great advantage to medical practices when storing patients documents and data. This frees up space in the practice and restricts unauthorised staff from accessing confidential data. Furthermore, you can store years’ worth of documents, and this is a great benefit as full medical history documents can be retained, you never know when you may need them!
Secure document scanning will create digital copies of documents and these can easily be accessed by those who are authorised, this is a time saving advantage and helps your medical practice stay organised and efficient at all times.
Why the healthcare industry is a prime target for cybercriminals
The key point to understand about cybercrime is that it basically comes in two forms, financially-motivated and ideologically-motivated and healthcare data is a prime target for both forms of criminal. Its appeal to the former can be summarized in the old saying “your money or your life”.
If a cybercriminal can take control of information which, quite literally, has a life-or-death impact on a patient, then they can quite reasonably expect that patient to pay whatever it takes to get it back.
Its appeal to the latter can also be its financial value, criminal organizations need to get funds from somewhere, but it can also be the way it can be used as leverage to control an individual.
For example, just as people will probably pay whatever it takes to get their data back, so people could potentially be “persuaded” to do whatever it takes to get their data back.
Alternatively, sensitive healthcare data could be used as a means to blackmail people, for example, people routinely discuss the health of politicians when they are running for or in office.
The basics of keeping healthcare data secure
In principle, data security for the healthcare industry is much the same as data security for any other industry. In practice, however, there are a couple of specific nuances it is worth noting.
There is still a heavy reliance on paper
In most industry sectors, the costs of digitizing paper records are far lower than the costs and risk associated with keeping paper records.
Healthcare, however, is somewhat different. While many types of document can be successfully digitized other types of documents pose technical challenges and it can often be safer to keep these documents in paper format than to risk being unable to defend a legal challenge further down the line. CTG traces are a prime example of this.
Although these technical challenges may be overcome in future (or the legal issues rendered irrelevant by the passage of time), for the present, the need to secure paper is likely to remain a major issue for the healthcare industry.
Limited IT facilities encourage the use of personal devices
The state of IT in the NHS can be reasonably demonstrated by the fact that it was still using Windows XP in 2017, even though Microsoft officially discontinued support for it in 2014.
It is therefore hardly surprising that medical staff often prefer to use their own devices as much as possible. Given NHS budgetary considerations, it may be easier to focus on making this as safe as possible, than to try to end the practice.
Don’t get left behind; Get in touch
If you’re a healthcare practice and believe you could be doing more to protect your patient and staff data, our services include document storage, document shredding and document scanning to ensure personal and private data is kept secure or destroyed appropriately. Get in touch with our team to find out more.