Cyber and Professions Series – Medical Professionals

England and Wales

This is CMS’ second in a series of articles focusing on risks to professionals arising out of a cyber incident. To read our first article on risks to solicitors please click here.

The healthcare sector has seen a significant rise in both small and large-scale cyber attacks over the past few years. A notable example is the “WannaCry” ransomware attack in 2017 which led to the cancellation of thousands of appointments and operations in the NHS. At least 34% of NHS trusts were affected. Medical institutions and professionals are particularly sensitive targets for attacks due to the sheer volume of personal data that is passed between hospitals, GP practices and specialist healthcare providers, as well as the grave consequences that can arise in the event of an interruption to operational activity caused, or even threatened, by an attack. The COVID-19 pandemic has exacerbated the extent to which data is shared, as many healthcare providers have adopted virtual patient consultations, using telehealth services to reduce the need for physical contact. The use of remote access systems makes each device and connection a possible way into a medical professional’s system, serving to provide greater opportunities for cyber criminals.

Data breaches in the healthcare sector can result in sensitive personal information being obtained by unknown third parties, including: personal identifiers (such as names, addresses, dates of birth, driving license information) as well as health insurance data and patients’ medical records. This sector is a popular target for cyber-attacks and data held by professionals is particularly useful to threat actors who are seeking to carry out fraud and identity theft. That is due to the fact that the sensitivity of such data is likely to encourage the victim to meet ransom demands in order to keep the incident out of the public domain. As these kinds of breaches may have a significant adverse impact on affected individuals (and can of course be very distressing), heavy fines can be levied on those businesses that are held responsible for allowing unauthorised access.

Cyber-attacks in the healthcare sector may even (in extreme cases) result in and/or otherwise increase the risks of serious injury or death. Earlier this year, a patient due to undergo life-saving surgery at the Düsseldorf University Hospital died after the hospital was subject to a ransomware attack which disabled the hospital’s computer systems.

Not every cyber attack results in a data breach but given the highly sensitive data typically held by medical professionals, the risks presented by a data breach are significant.

Examples of cyber breaches medical professionals may experience

The most common forms of cyber attacks and data breaches in the healthcare sector are:

  • Ransomware attacks, including where patient data or critical systems are encrypted by malicious actors who demand payment in exchange for a decryption key;

  • Phishing/vishing/social engineering attacks, where malicious actors gain access to a victim’s system typically by duping victims into opening a malicious email or link, thereby gaining access to the institution’s systems;

  • Loss of laptops or physical files containing patient data; and

  • An insider disclosing sensitive information either by accident or intentionally.

What are the regulatory obligations when a health service organisation suffers a breach?

Healthcare providers may have to report the occurrence of a data breach to the Information Commissioner’s Office (“ICO”) and/or the Department of Health and Social Care, depending on the type of data that has been compromised and the extent of the breach.

ICO

Under Article 33 of the General Data Protection Regulations (“GDPR”), any security breach creating a risk to the rights and freedoms of individuals is a personal data breach that can be notifiable to the ICO. All organisations providing healthcare services in England must use the Data Security and Protection Incident Reporting Tool (“DSPIR Tool”), which identifies notifiable breaches and reports relevant incidents to the ICO, the Department of Health and Social Care, NHS Digital and other regulators (see below). If the DSPIR Tool is unavailable, an incident can be reported via the ICO helpline on 0303 123 1113. In the case of an urgent security related incident, healthcare providers can contact the Data Security Centre helpdesk on 0300 303 5333 or enquiries@nhsdigital.nhs.uk. The NHS has also put together helpful guidance on identifying notifiable breaches.

If the breach is likely to result in a high risk to the data subjects’ rights and freedoms, the GDPR also requires healthcare providers to inform data subjects that their data has been compromised. This is a higher threshold than that which triggers an ICO notification, however, since medical data is highly sensitive, this threshold is commonly met within the context of healthcare data breaches.

There are two tiers of maximum fines for data breaches under the GDPR; up to €10 million or 2% of global annual turnover for breaches relating to data controller or data processor obligations, and up to €20 million or 4% of global annual turnover for breaches of data subjects rights and freedoms. However, the ICO will only very rarely impose the maximum fine available. The ICO has imposed many fines on various actors within the healthcare sector. For example, in 2018 a heavy fine was imposed on a regulated healthcare firm after a rogue employee extracted personal information of its customers and put it up for sale on the dark web.  A more recent example is the £275,000 fine imposed on a London pharmacy, Doorstep Dispensaree, Ltd for improperly storing sensitive patient data in unlocked containers at the back of their premises. Neither of these issues related to an external cyber attack but highlight the sensitive nature of the data stored by healthcare providers.

Department for Health and Social Care

The Security of Network & Information Systems Regulations 2018 (“NIS Regulations”) require NHS Trusts, NHS Foundation Trusts or healthcare providers designated by the Secretary of State for Health and Social Care to report events which have a significant impact on the continuity of essential services to the Department for Health and Social Care within 72 hours.

An incident reportable to the ICO may also be a reportable incident under the NIS Regulations. The DSPIR Tool is designed to identify such incidents and will report them to both the ICO and the Department for Health and Social Care.

The Data Security and Protection Toolkit

All healthcare organisations, both NHS and industry partners that access NHS data and systems must demonstrate their compliance with the Department of Health and Social Care’s data security and information governance requirements by submitting a self-assessment using the Data Security and Protection Toolkit, which is an online platform. All healthcare organisations must submit their self-assessment on an annual basis with the deadline usually being 31 March (however, this year the deadline was pushed back to 30 September due to the coronavirus pandemic).

Recommendations of the Chief Information Officer for the Health and Social Care System

The Chief Information Officer for the Health and Social Care System produced a report setting out recommendations for healthcare organisations following a review of the “WannaCry” incident. Some of the key recommendations included:

  • Healthcare organisations should comply with the Cyber Essentials Plus standard by June 2021, as recommended by the National Cyber Security Centre. This should serve as a minimum requirement for all healthcare organisations. Under this recommendation, large organisations may also be expected to ensure their supply chain meets the minimum requirements by undertaking basic due diligence.

  • Cyber security should be a board level priority for healthcare organisations and that every board should have an executive director as the data security lead.

  • Business continuity and disaster recovery plans should “include the necessary detail around response to cyber incidents, and must include a clear assessment of the impact of the loss of these services on other parts of the health and social care system” as well as identifying key third party services and the impact of the loss of those services on their operations and business continuity. 

GMC Guidance

The GMC has published guidance on handling patient information.  Some of the key pointers are:

  • Improper disclosures of patient information may be unintentional. Examples include discussing confidential medical information in reception areas, at a patient’s bedside or other public places where it may be overheard.

  • Patient information should be effectively protected at all times against improper access, disclosure or loss. Patients records should not be left on paper or on screen unattended.

  • Reasonable steps should be taken to ensure that communication methods used with patients (if they are contacting patients by email for example) are secure.

How can medical professionals minimise the risk of a data breach?

It is not possible to prevent all data breaches, however, there are several measures that medical professionals (and professionals generally) can take to minimise the risk of a data breach occurring and in mitigating the impact of a data breach if one does occur.

  1. Hire IT technicians to protect hardware networks from attacks and ensure patient data is encrypted both at rest and in transit;

  2. Invest in device security, this is important because if even one device becomes compromised it can expose the entire network, thereby not only exposing patient data to a data breach but also potentially putting essential computer systems required for medical procedures at risk;

  3. Use multifactor authentication (“MFA”) to reduce the risk of phishing attacks, but be mindful that certain attackers are capable of surpassing MFA;

  4. Single Sign on Systems (“SSO”), where authorised users can use a single set of login details to access multiple applications, may make it easier for malicious actors to access a large volume of data as they will only need to compromise one set of login details to access several platforms. It is therefore advisable to replace SSO with biometric logins, where authorised users login by using their fingerprints or by scanning their eyes;

  5. Hospitals and large-scale healthcare providers with sufficient cybersecurity budgets may take advantage of new machine learning software solutions which are trained to detect and block potential malware or phishing attacks;

  6. Ensure that third parties that have access to healthcare networks or databases are properly handling patient data, by regularly conducting a cyber-security audit of third party data controllers or requiring them to prove high standards of data security are in place before passing on patient data;

  7. Provide training for employees and those with access to patient data on proper usage and handling of sensitive data and alerting them to any risks they may face and how to handle them. For example, by having an action plan in place to ensure essential medical treatment can be conducted even if the healthcare provider’s computer system is compromised. The Chief Information Officer for the Health and Social Care System has even recommended that those who fail to complete the training could be denied access to computer systems until they complete it;

  8. Arrange for appropriate cyber insurance cover and ensure that it sufficiently mitigates the impact of cyber-attacks. Cyber-attacks may result in significant business disruption and open up a healthcare institution to a multitude of claims such as claims for loss of patient data, breach of privacy, or even physical injury if medical devices are hacked as well as hefty costs of regulatory investigations. To minimise the financial impact of cyber-attacks, cyber insurance policies that cover indemnities for first and third party claims and defence costs may be obtained. Some cyber insurance policies also offer assistance in the immediate aftermath of a cyber-attack by providing the insured with access to forensic investigation teams, customer support teams as well as legal and public relations experts, who are able to handle the first response to the attack. 

CMS runs a dedicated 24/7/365 emergency response facility that can be accessed in the event of a cyber-attack. If you would like to know more about their work, click here. If you do not have an emergency but want to learn more, please contact the authors:  Amit Tyagi, Ben Brown and Kristyna Muhlfeitova.