The healthcare industry is not doing nearly enough to protect sensitive patient information, data protection expert Forcepoint warned in a CISO roundtable hosted in partnership with CNME and tahawultech.com.
Duncan Brown, Forcepoint’s chief security strategist for the Europe, Middle East and Africa region, kicked off the seminar with a selection of regional healthcare technology experts by discussing some of the challenges that healthcare providers face in managing patient data.
He highlighted how the UK’s National Health Service was “collateral damage” to 2017’s WannaCry ransomware attack, which ground operations to a halt for a third of the UK’s hospital trusts.
“It’s key that you can prove to the board that you’ve tried to prevent an attack,” Brown said. “There’s often an attitude with cybersecurity that ‘if it ain’t broke, don’t fix it’, but 10% of UK hospitals still had machines running on Windows XP. Tests carried out before WannaCry showed that 88 out of 236 trusts weren’t meeting the necessary cybersecurity standards – look what happened.”
Brown also used the example of a Portuguese hospital that was forced to pay a fine of €400,000 after failing to manage the ways its doctors accessed data, causing them to be in breach of GDPR. “All doctors had access to all patient accounts,” Brown said. “If your access is out of control, you have no control.”
Brown went on to highlight some of the biggest challenges that healthcare technology decision makers face, including the value of data they need to protect, and securing the necessary organisational buy-in for IT. “The most concerning thing about healthcare is the nature of the data we’re protecting,” Brown said. “It’s personal, sensitive data. It must be protected as a priority. Doctors understandably want to see money spent on patients instead of IT, but technology also helps to protect patients in other important ways. Healthcare providers owe it to patients to protect their data. Medical practitioners sometimes overlook the reality that that’s a moral obligation.”
Brown went on to highlight the need for a balance to be struck between protecting patient data but also sharing it where necessary if it can help to deliver an improved outcome.
“The second major issue is that as well as protecting data we also want to share it where appropriate,” he said. “If you see a GP and are referred to a specialist or consultant, you want data to be shared so that it doesn’t impair the right outcomes. There’s a balance that has to be struck of sharing data for medical and research purposes in a controlled, predictable way.”
Brown added that the healthcare industry has not yet done enough to prioritise data protection in the same ways that other critical industries have done.
“Health data has value,” he said. “If a credit card is stolen, the data value is measured in minutes and maybe hours – the time that the threat actor has to monetise it. Financial services companies and banks have the infrastructure and legacy to understand criminal transactions and fraud. That’s reassuring.
“Healthcare doesn’t have that background in protecting data. Banks cancel cards within hours. Healthcare data is stolen for life and can be monetised through being sold for blackmail and other sensitive means. It’s much more valuable to attackers.”
Brown was followed by Forcepoint’s head of sales engineering for the Middle East, Turkey and Africa region Ozgur Danisman, who highlighted the importance of building flexible data access policies. Forcepoint has added a layer of behavioural analytics to its platforms, which records activity as evidence instead of blocking access across the board for certain users, he said. “In this day and age you cannot have black and white policies for data access,” he said.