Cyber security and the problems caused by the accidental or deliberate leaking of data are becoming major causes of concern for 21st century businesses. Jens Puhle, UK Managing Director of access rights management specialist 8MAN outlines the steps that can be taken to minimise the risk.
A year of high profile attacks in everything from telecoms organisations to pubs has put the need for better cyber defences into sharp focus for the first time in many parts of the business world. As a sector that handles some of the most sensitive personal information imaginable however, the healthcare world was in no need of a wake-up call.
Although the demand for transparency is increasing, most business operations can maintain a large degree of secrecy in all but the most serious data breach incidents. The health sector on the other hand is required to report all Information Governance Serious Incident Requiring Investigations (IG SIRI) using the IG Toolkit Incident Reporting Tool. The report sends incidents to regulators including the Health and Social Care Information Centre (HSCIC), the Department of Health and the Information Commissioner’s Office (ICO).
As a result of this mandatory reporting the health sector appears to have one of the worst track records on data management incidents. 278 incidents were reported to the ICO in Q2 2015 alone, compared to just 60 in local government, the next highest group.
Data handling best practice
Most of these incidents tend to be caused by simple human error, with the ICO finding that emailing the wrong recipient was one of the most common ways for staff to leak sensitive data. A prominent example came towards the end of 2015 when the names and emails of nearly 800 HIV patients were visible after an email newsletter was not blind copied to the recipients.
While accidents are always possible, organisations need to ensure they have safeguards in place to make it harder for mistakes to happen, as well as training to raise awareness of the consequences of a leak. Failure to correctly train temporary or even full time staff in data protection procedure is one of the many different issues the ICO routinely addresses with practitioners.
Accidental leaks can be effectively prevented by limiting access to sensitive data in the first place. It’s very common for new staff to be given much wider access to data than they need be, and we often see firms setting up new users as administrators with full access because it’s faster and easier.
Best practice should always be for all new users to only be given as much access as is required for their roles, as the fewer people that can access sensitive data the less likely it is to be accidentally leaked.
Because of the way the native Windows Active Directory system works, a lot of system administrators find proper due diligence in managing access management for every new starter to be too time-consuming.
Surprisingly large organisations still have little idea about what information their staff can access, and rarely rescind access once granted, even when someone has left.
With providers often failing to follow process even at the best of times, the problem is greatly increased when large numbers of staff join at once, either full time or as temps. Few consider the potentially devastating security risk that comes with temporary hires that require network access. Temp workers are often granted access to the entire network by default, including potentially sensitive information like payroll or intellectual property. In fact, research from Avecto and Curve IT found that 72 per cent of temporary workers are given full administrative rights.
The threat from within
Breaches caused by carelessness or accidents can be serious enough, but far more damage can be caused when data is intentionally leaked and misused by employees. Medical data is highly prized on the black market, with the Ponemon Institute estimating that stolen records can fetch an average of $360 - more than any other single piece of stolen information. In America, the Department of Health and Human Services believes that records from more than 100 million people were stolen in 2015 alone, while Verizon has also found 90% of industries outside of healthcare have also had medical data stolen.
Aside from the obvious cases of intentional theft, patient records can be misused in many other ways. Last year a UK medical centre practice director was fined after accessing the records of colleagues and family members without their consent.
Insider leaks and misuse such as this are particularly difficult to guard against because the perpetrator is usually legitimately cleared for access as part of their job role. To address this challenge, organisations should ensure they have systems in place that will alert them whenever certain important files or folders are accessed. In addition, more advanced access rights management systems can send real time alerts specifically for when information is accessed outside of usual parameters, preventing data from being copied unobserved from remote locations out of office hours.
Regulatory pressure
Organisations are also facing increasingly serious punishments from regulatory bodies if they are judged not to have done enough to prevent a major breach. The European Commission is drafting new legislation that will place more responsibilities on the healthcare sector and other areas of key infrastructure, requiring them to take extra measures in defending data, as well as reporting breaches to the national authorities. Even stricter punishments on security failures were also agreed by the EU at the end of 2015, with large organisations which fall short potentially being hit with fines of up to 4% of their entire global turnover. Any firm that handles personal data on a large scale could face fines running into the billions.
Locking down data access
The need to guard against both external and internal breaches, alongside strict regulations in many cases, means large organisations are under tremendous pressure to have access to sensitive data under control. It is imperative that they equip themselves with the right policies, processes and technology to gain full control of how data is accessed.
The most basic tenant of this is locking down who is able to access sensitive data in the first place and reducing it to essential personnel only. Alongside this, installing the ability to track whenever key data is accessed, especially if it is at an unusual time or location, will greatly reduce the chances of malicious leaks to criminals.
While high profile external hacks will continue to grab the headlines, the internal threat to data must not be overlooked. Accidental leaks are increasingly common and can be extremely embarrassing. Furthermore, insider leaks are not only highly damaging, they can occur without the firm ever finding out. By taking a few simple steps, organisations can keep the sensitive data of their patients truly confidential.
