Cyber Security in the Healthcare Sector

There have been numerous reports of cyber attacks against companies in the healthcare sector over the last few years, and the frequency and impact of these incidents is increasing.

Healthcare companies are prime targets for cyber criminals.  They hold large quantities for sensitive personal information about their clients (which can be very valuable for a number of purposes including identity fraud) and they may also hold IP and other commercially sensitive information about new product developments.

However, many healthcare companies lack the IT security and corporate governance measures adopted by businesses in other sectors which hold large quantities of customer data such as retail, telecommunications and financial services, and they have neither the resilience to resist attacks nor processes to enable them to detect when an attack is occurring.

The importance of managing customer data securely will increase when the General Data Protection Regulation is implemented in early 2018.  Monetary Penalty Notices (or fines) imposed by the Information Commissioners Office will increase from the current maximum of £500,000 to a new maximum of 4% of a business’s global turnover.

In addition to regulatory fines, a cyber attack leading to loss of sensitive information about patients could, of course, have widespread commercial implications such as legal claims by those affected and serious damage to reputation, especially if the data loss leads to a media storm.

So what should healthcare companies do to build up their resilience to a data breach?

The first important step is to recognise that data security is not just an IT issue.  It is, of course, important to have good up to date IT systems with the best possible levels of security.  However, it is also important for all organisations to recognise that data security is a matter of corporate governance and it should be treated as a board level issue.

The importance of data security should be made clear to all employees, and the messages constantly reinforced.  You should have clear procedures for IT usage including, if relevant, provisions governing home working and the use of detachable media.  You should also have a strong data protection policy which if properly followed will ensure the business not only fulfils the current data protection obligations but also the requirements under the forthcoming Regulation.

You should review your insurance policies to check whether you will be insured for all the potential consequences of a data breach.  Many businesses mistakenly think that a cyber attack will be covered by their existing insurance policies.  In fact, most businesses are not insured at all for many potential consequences of a cyber attack.

If other organisations or individuals are provided with access to your IT systems or process your patients’ or customers’ data you should ensure that they have satisfactory security measures in place, otherwise you could face the consequences of their data breach.  Where possible include minimum security provisions and audit rights in third party contracts and make sure that suppliers are obliged to take out insurance.

Finally, although the steps above will help to minimise the risk of a data breach, however robust your IT security and governance there will always be a risk that an incident will occur, and you should have an incident management plan in place enabling you to act swiftly and decisively if you are the victim of a data breach.  The incident management plan will contain information on the steps you should take to contain the incident; communicate with the media, regulators and individuals whose data has been compromised; manage any claims; and generally protect and recover your position.  The incident management plan and all relevant policies and procedures should be reviewed on a periodic basis to ensure they continue to meet the needs of your business.

With good corporate governance and effective risk management, the likelihood and impact of a data breach can both be significantly reduced and you can be confident that you comply with your data security obligations.

If you would like assistance in developing your cyber security strategy or handling a data breach please contact [email protected].