At 36 per cent, the health industry continues to be the sector responsible for the largest percentage of disclosed data breaches by industry in 2012, writes Alex Burnham.
The Irish health sector is at great risk of data security breach or theft.
Globally, the health sector is faced with the challenge of balancing the requirements for increased efficiencies and ensuring that patient records are available to those who need them when necessary, against protecting the confidentiality of the patients’ data and, in the Irish context, compliance with the Data Protection Act(s) 1988 and 2003.
The health sector in Ireland retains a large volume of sensitive information related to its patients. This data could be either financial or health related and may be collected through a range of methods and stored on a large number diverse IT systems with limited integration. Such health IT systems store a range of confidential personal information such as:
- Patients’ names, patients’ bank details, PPS numbers, contact details and addresses
- Medical, clinical and social care data.
At 36 per cent, the health industry continues to be the sector responsible for the largest percentage of disclosed data breaches by industry in 2012.
Whether stolen or accidentally disclosed, patients’ identities are lucrative. Medical records are worth as much to crooks as credit-card numbers. They contain more information, and can be used for identity theft, health insurance fraud and to obtain prescriptions for controlled drugs. Research has identified that a single record, such as a patient’s record, that is suitable for use in identity theft, is worth as much as €20 on the black-market.
The risk of loss or theft of unencrypted mobile devices still poses a risk. This risk is significantly increased where personal devices such as laptop, dictaphones, USB storage devices and mobile phone are used.
Recently we have also seen an increase in instances where malicious code is surreptitiously installed onto an organisation’s IT system which then encrypts the data and then requires a payment to decrypt the data – Ransomware. The data is rendered inaccessible until the hackers extort payment from the organisation. The impact that such code could have on the operations of a hospital is hugely significant, therefore simple controls like having up to date anti-virus software and the prompt and timely installation of security vulnerability patches will assist in the prevention of such an attack.
Medical records are worth as much to crooks as credit-card numbers.
Valley View Hospital virus breach affects 5,400 patients – Hacked hospital computer systems contracted a virus that collected patient information and disclosed it to a third party. (Healthitsecurity.com)
Data breaches within the health sector can have significant financial and reputational ramifications.
NHS Trust fined £325,000 following data breach affecting thousands of patients and staff. The data breach occurred when an individual engaged by the Trust’s IT service provider, was tasked to destroy approximately 1000 hard drives. 4 of these hard drives were subsequently purchased on the internet containing all of the data. (ico.org.uk)
Steps to avoid a breach
Mazars experience of IT audit and security consultancy within the health sector both in Ireland and the UK has identified the following eight high level steps to reduce the risk of a data breach:
- Staff training and awareness are important first steps in reducing the risk of a data breach. Strong IT security and Data Protection policies should be developed. Compliance testing should be conducted on an ongoing basis.
- Access management – Access to all data should be restricted to individuals that have a need to access the data. Frequent reviews of access should be conducted with the data owners.
- Strong anti-virus and internet filtering solutions – all devices should be protected with an anti-virus/malware solution.
- Controlling the use of mobile devices – the increased use of mobile devices presents a number of significant challenges to the security of your data. With the large amount of data that can now be stored on a USB device the risk of a data breach increases. Restricting the use of USB and other portable devices should be considered. Encryption must be used when sensitive data is stored on any portable device (Laptop, USB, Dictaphone, etc.).
- Encryption – where sensitive data is processed, stored or transmitted, the use of encryption must be considered. This is particularly relevant where data is accessed over the internet or where usernames and passwords are being used.
- Penetration and internal vulnerability security tests – vulnerability tests should be conducted on websites and externally facing services but also on internal network and infrastructure.
- Control over third party support providers – current trends identify the increased use of third party support providers, cloud solutions or external service providers. Organisations must ensure that any third parties protect your organisational data. Acceptance of confidentiality and right to audit clauses are very important.
- IT audit – regular IT audits or reviews of the security controls protecting the organisation’s data should be conducted by competent and experienced professionals.
How secure and compliant with the Data Protection Act(s) are you?
Alex Burnham, IT Audit and Security Manager, Mazars Ireland. Tel +353 (0)1 512 5563