The pandemic has created the ideal conditions for cyber criminals who are taking advantage of changing habits to steal people’s personal information and their money.
There were an estimated 1.7 million computer misuse offences in the year ending March 2021 according to the Office for National Statistics, up by 85% from the year ending March 2019. Cases of unauthorised access to personal information, which included large-scale data breaches, rose by 162%.
This should concern healthcare providers because the amount of personal data they hold makes them a tempting target. A recent cyber security breaches survey by the Government showed that 58% of private businesses hold personal data about customers but this rises to 80% in the health, social work and social care sector and 82% in the finance and insurance sector. Healthcare organisations consistently report the highest number of data breaches to the Information Commissioner’s Office (ICO). The latest statistics from the ICO for 1 July - 30 September 2021 show there were 435 data security incidents in the healthcare sector, compared with 313 for education and 259 for finance, insurance and credit.
Data security oversights can be extremely costly. In addition to the potential disruption and embarrassment, the ICO could also impose a financial penalty if it finds that you had not done enough to protect users’ sensitive personal data.
However, you can boost your defences by following these steps:
- Invest in security software to protect practice systems from malware such as viruses and ransomware. The software should be set to automatically scan files and webpages and whole system scans should be carried out frequently.
- Don’t use old operating systems, software, internet browsers and apps which are no longer supported by the provider as they will be inherently less secure.
- Maintain a Data Protection Policy to ensure your practice complies with data protection law. This is a set of principles, rules and guidelines which ensures everyone understands their data protection responsibilities.
- Have a practice IT security policy covering aspects of security such as internet and email use, passwords and the safe use of mobile devices (encryption).
- Provide regular training in cyber security for staff and make them aware of the latest threats eg suspicious emails. Non-compliance with the policy should be a disciplinary matter.
- Ensure each person has their own username and password that controls their level of access. Passwords should be changed regularly and never shared.
- Encrypt the sensitive information you send or share and don’t use standard unencrypted email to communicate confidential information as it is inherently insecure.
- Keep track of how data is processed and stored so you are more likely to identify a breach quickly and can take prompt action.
- Ensure all access is logged for security and audit purposes and that staff have a valid reason to access personal and patient data as part of their work.
- Back up your systems so that you can restore your data and get back up and running quickly eg in the event of a cyber-attack.
- Report personal data breaches to the ICO within 72 hours of becoming aware of them, unless you can show that the breach is unlikely to pose a risk to individuals' rights and freedoms (for healthcare organisations, reporting is advisable). Serious cyber-security incidents can be reported to the National Cyber Security Centre (NCSC) which also has advice on how to manage incidents.
- Talk to an IT security professional about your IT security measures. The NCSC has guidance and resources for small businesses or you could sign up to the Government’s Cyber Essentials scheme which should help you guard against cyber-attacks. You can find best practice information for healthcare organisations on the ICO website and NHS Digital (important if you have access to NHS patient data and systems).
- Ask service providers about the measures they have in place to protect your data. You might comply with data protection law but do they?
How does Healthcode protect your data?
As a provider of online services for more than 20 years, Healthcode processes vast amounts of sensitive health and financial data on your behalf. Here are some of the measures we take to ensure our systems and procedures are watertight and present the maximum deterrent for cyber criminals:
Encryption – our systems are secured following internet banking conventions, using 2048-bit certificates for full end-to-end encryption
Enterprise quality – our system infrastructure is designed to contain no single point of failure and is physically located in the UK.
Data protection by design – we have embedded these ICO principles into all our system and product development projects, from ePractice and The PPR to online appointment booking. Access to services is secured by user credentials and role-based controls.
Commitment to IT security standards – Healthcode’s internal policies, procedures and controls comply with ISO/IEC 27001:2013 (we first achieved the relevant ISO/IEC accreditation in 2009).
We are also certified under the Cyber Essentials scheme after demonstrating best practice across all aspects of cyber security including configuring systems to minimise vulnerability to cyber-attack.
Resilience testing – we regularly review our security measures to identify potential weaknesses and ensure systems remain fit for purpose as technology advances.
Disaster recovery – we take a daily back-up copy of data which is securely stored in a separate UK facility.
Products and services – Healthcode provide encrypted services to help healthcare organisations share information securely, from Electronic Clearing to secure messaging and file sharing.