Make Your Patient Data Cyber-Secure by Design

April 2, 2024 Care Homes, Care Staff, Professional Comment, Social Care

Antonio Weiss, Senior Partner at The PSC (www.thepsc.co.uk/team/team-member/antonio-weiss/) and author of The Practical Guide to Digital Transformation on how to keep your patient data secure in a digital world.

For several years now in the UK you’re more likely to be the victim of a cybercrime than of physical violence or robbery, with the collective cost of cybercrime to reach $10.5 trillion in 2025 – more than the entire value of the illegal drugs trade combined.

I’ve seen first-hand the kind of benefits that come from digitalising processes in hospitals and health and care centres – such as patient admission and administration – freeing up valuable time and resources to deliver care to the people who need it. Digital technologies are in this way catalysing the rate of patient care, through automating lengthy paperwork processes and ultimately freeing up space from A&E departments – where this kind of support is needed most, increasing rates of care by up to 54% in a week compared to the usual baseline.

But with this digital progression comes the risk of handling and storing more patient data than previously experienced, opening organisations up to cyberattacks, particularly to phishing attacks. Data breaches or cybersecurity attacks should be near the top of any digitally progressive organization’s risk register, with hospitals and health and care centres on high alert as the NHS issued a warning for all organisations to shore up their defences as the invasion of Ukraine by Russia continues.

From the outset, it’s crucial that patient data is stored in a legitimate and legal way adhering to EU General Data Protection laws Regulation (regulations will change depending on where you are based of course), but with so many potential avenues of attack – known in the cyber language as ‘vulnerabilities’ – it can be hard to know how to prioritize defence efforts going forwards.

So, what are some core basics you need to do? First, make sure your organizational leadership is committed to cybersecurity. Chief information security officers (CISOs) or similar are becoming increasingly common in companies, however this role is traditionally handled by the CIO in the health and care sector. So long as you ensure someone on your board – and ideally an executive and non-executive board member – is responsible for overall cybersecurity this leadership should help to spearhead activity and ensure it stays high up on the list of priorities.

Second, solidify your networking security by running a series of penetration tests. This is where a paid actor, acting on your behalf, tries a series of ways of attacking your network and identifies vulnerabilities which you can then mitigate. To make the most of penetration tests, they should cover where your greatest risks lie. Health and care organisations tend to have large digital and technology estates, which makes this challenging. Your Electronic Health Record (EHR) or component systems is an obvious target, but many medical devices are particular weak points too.

Third, ensure applications are up to date with the latest upgrades for cybersecurity. The infamous 2017 WannaCry ransomware attack on the NHS was possible due to Windows operating systems being run without up-to-date security patches. As NHS and care organisations have so many staff – and thus accounts – this makes your applications particularly vulnerable, and make sure you understand where the points of risk lie with them.

Fourth, implement staff training. This should involve everything from secure password management to understanding what to do in a disaster recovery scenario. In the busy world of health and care, it’s crucial that all administration staff have a universal understanding of IT practises to keep their patient data safe, and to ensure people can react quickly in the most effective way should a cyberattack hit.

And finally, implement strong password management and access control. Anecdotally – accurate data is hard to come by as many organizations are reluctant to share how often they have been attacked – poor password management is one of the most common methods of attack for cyber criminals. Ensure all staff use secure passwords and good password maintenance hygiene – NHS Digital has good guidance on this. Access control rules mean that only those that need access have access. Multi-factor authentication is by far the most secure approach to access management but often not available on older health and care applications. Ensure that particularly sensitive data, such as patient level data being access for research or planning purposes, securing “Trusted Research Environments” are used with multi-factor authentication a prerequisite for gaining access.

Health and care providers are increasingly turning to digital processes to help streamline and revitalise their processes following the worst of the Covid-19 Pandemic in the UK. However, it’s vital overall cybersecurity and individual employee practises both work to ensure patient data is as safe and secure as possible. We are seeing a new age of digital health and care arising, the question now is: are organisations prepared to commit to the safety procedures needed to keep patient details private?