A Sky News investigation recently revealed that NHS Trusts are putting patients at risk by not protecting patient data. Furthermore, freedom of information requests revealed that seven NHS Trusts spent nothing on cybersecurity in 2015 and 45 Trusts were unable to specify their budget. The average spend on cybersecurity across Trusts was £23,040. While there may be exceptions, the proper management, protection and storage of patient data is not being given the attention it deserves.
This is particularly worrying considering that data breaches, of various types, are on the increase in the UK healthcare sector. Sky’s investigation revealed that Trusts are suffering an increasing amount of personal data breaches, from 3133 in 2014 to 4177 last year, and that cyber incidents are accounting for more breaches, from eight in 2014 to 60 last year.
It’s not easy to put a cost on security breaches in healthcare. The impact on the delivery of patient care is clearly the most critical, although there are also severe financial repercussions, huge impacts on staff morale and confidence (that can lead to attrition and the loss of key personnel), as well as effects on a hospital’s reputation. We need only look at Lincolnshire and Goole NHS Foundation Trust, which recently had to cancel hundreds of planned operations and outpatient appointments after its systems were infected by a virus, to comprehend the huge impact compromised data can have on patient care. Understandably, this was treated as a “major incident” and the fall-out was significant.
The report highlighted that cybersecurity was weak for a number of reasons, notably, due to out-of-date software. We believe most NHS hospitals operate between 200 to 300 applications in the background for the preservation of historical data or for legal/compliance reasons, but these legacy systems are fraught with security issues and running them carries significant risks. Not only are older technologies, whether hardware or software, more prone to failures, outages and corruptions, but they also present security loopholes. We strongly believe that the NHS must prioritize the retirement of legacy applications if they hope to tackle cyber-attacks. What’s more, retiring applications has a side benefit of saving a significant amount of money and resource that could be redeployed on cybersecurity tools and measures (or other projects). The main point is that patient data must be moved into a safe environment while still being accessible to those that need it, when they need it, at the point of care.
Minimizing or preventing downtime following a security breach is paramount and disaster recovery is an essential part of any cybersecurity policy, particularly when it comes to ransomware. Trusts must ensure that they have a robust data backup – whether via secondary datacenters, cloud and/or tape – and, more importantly, a robust recovery strategy, for both physical and virtual machine environments, to ensure that patient data remains available and accessible regardless of the nature of the breach.
System and data recovery in healthcare needs to be taken seriously and, if you’re really serious about it, you need to test that your recovery strategy works. Trusts need to know that their systems would stand up to a cyber-attack and that they could get back to operational status in the shortest possible time to avoid clinical risk and ensure the continuity of patient care.
As the Healthcare Data Management company responsible for protecting critical, primary systems for over 1200 hospitals worldwide, we urge NHS Trusts to consider application retirement and disaster recovery strategies as a matter of priority.