By Chris Welch, Product Manager – RAPid, BridgeHead Software
A Sky News investigation today revealed that NHS Trusts are putting patients at risk by not protecting patient data. Furthermore, freedom of information requests revealed that 7 NHS Trusts spent nothing on cybersecurity in 2015 and 45 Trusts were unable to specify their budget. The average spend on cybersecurity across Trusts was £23,040. While there may be exceptions, the proper management, protection and storage of patient data is not being given the attention it deserves.
This is particularly worrying considering that data breaches, of various types, are on the increase in the UK healthcare sector. Sky’s investigation revealed that Trusts are suffering an increasing amount of personal data breaches, from 3,133 in 2014 to 4,177 last year, and that cyber incidents are accounting for more breaches, from 8 in 2014 to 60 last year.
Patient Care – The Real Cost Of Inadequate Cybersecurity In Healthcare
It’s not easy to put a cost on cybersecurity security breaches in healthcare. The impact on the delivery of patient care is clearly the most critical, though there are also severe financial repercussions, huge impacts on staff morale and confidence (that can lead to attrition and the loss of key personnel), as well as effects on a hospital’s reputation. We need only look at Lincolnshire and Goole NHS Foundation Trust, which recently had to cancel hundreds of planned operations and outpatient appointments after its systems were infected by a virus, to comprehend the huge impact compromised data can have on patient care. Understandably, this was treated as a “major incident” and fall-out was significant.
What Should NHS Trusts Be Doing To Protect Patient Data?
The report highlighted that cybersecurity was weak for a number of reasons, notably, due to out-of-date software. We believe most NHS hospitals operate between 200-300 applications in the background for the preservation of historical data or for legal/compliance reasons, but these legacy systems are fraught with security issues and running them carries significant risks. Not only are older technologies, whether hardware or software, more prone to failures, outages and corruptions, but they also present security loopholes. We strongly believe that the NHS must prioritise the retirement of legacy applications if they hope to tackle cyber attacks. What’s more, retiring applications has a side benefit of saving a significant amount of money and resource that could be redeployed on cybersecurity tools and measures (or other projects). But, the main point is that patient data must be moved into a safe environment while still being accessible to those that need it, when they need it, at the point of care.
Minimising or preventing downtime following a security breach is paramount and disaster recovery is an essential part of any cybersecurity policy, particularly when it comes to ransomware. Trusts must ensure that they have a robust data backup – whether via secondary datacentres, cloud and/or tape – and, more importantly, a robust recovery strategy, for both physical and virtual machine environments, to ensure that patient data remains available and accessible regardless of the nature of the breach.
System and data recovery in healthcare needs to be taken seriously. And, if you’re really serious about it, you need to test that your recovery strategy works. Trusts need to know that their systems would stand up to a cyber attack and that they could get back to operational status in the shortest possible time to avoid clinical risk and ensure the continuity of patient care.
As the Healthcare Data Management company responsible for protecting critical, primary systems for over 1,200 hospitals worldwide, we urge NHS Trusts to talk to us about application retirement and disaster recovery strategies as a matter of priority.
If you would like further information or wish to discuss the above, please email me at: email@example.com