Intro – Data breaches.
You might be telling strangers what your birthday, home address, and online banking passwords are – but there’s a very good chance that your social media accounts are doing just that and becoming data breaches.
Social Media and data breaches.
Most of us Instagram our dinner, Tweet our train delay, or post our leaving do to Facebook without a thought. However, if your security settings aren’t set correctly then at a glance, criminals can see your school information, the names of your loved ones, your pets, and even your favourite holiday destinations. If you’re in the habit of using any of those as your passwords, then you might as well list them on your profile.
The healthcare industry.
We might not think that a few details about our lives give criminals all they need to build fake profiles. However, when you suspect that major organisations – including healthcare providers – might be guilty of the equivalent lack of security measures, it’s time to worry.
Consumers have a right to trust healthcare organisations to look after their personal information securely. We are naturally wary of banks, and yet we trust the secrecy of the GP’s office without a second thought. After all, we still live in a world where employers make decisions on someone’s continued employability solely on the basis of their physical or mental health. In a 2017 survey, Accenture published findings which showed that one in eight people had had their personal medical data stolen from systems with inadequate security in place. Worse still, more than a third of those experiencing such a breach were left to find out about it themselves – usually by finding an error in their health or financial records weeks or months later.
This isn’t good enough…
…When the organisation in question is only alerting a fraction of those affected, that’s almost as problematic as having security measures in place that allow those breaches in the first place. Aimie Chapple, Accenture UK’s managing director of health practice and client innovation is quoted as saying “patients must remain more vigilant than ever in keeping track of personal information including credit card statements and health records which could alert them to breaches”.
The cause – data breaches.
So what’s the cause of the ongoing breaches? As with so many technology issues, the answer is human error, backed up by findings from the Information Commissioner’s Office. In the almost three-year period between January 2014 and December 2016, the number of data breach incidents reported by healthcare organisations accounted for some 43% of the total, beating the next-worst offenders – local government – four times over.
Again, this isn’t good enough.
Especially when you look at how a lot of these breaches break down; losing paperwork, paperwork sent/emailed/faxed to the wrong recipient, and failure to correct or delete data where required. The criminals don’t even have to try; it’s there on a plate for them.
For example:
- Approximately 10,000 handwritten patient records went missing between August 2017 and August 2018 (NHS Data Security: Protecting Patient Records), with over 3,000 records either mislaid or stolen from University Hospitals Birmingham NHS Foundation Trust alone
- ‘Ghost Users’ present an easy route in for hackers – an August 2017 assessment of 64 NHS organisations alone found that around 17% of online accounts hadn’t been used for 12 months or more. A combination of a lack of care on social media accounts about changing job, and a fairly simple hack can quickly identify a recent leaver’s dormant online accounts, and enable hackers to move around a network undetected
- NHS Trusts might have spent over £1 million preparing for GDPR, but that cost – split over 46 trusts – doesn’t even scratch the surface of the significant challenges trusts face in managing what is uniquely confidential patient data
- The NHS itself faces an ongoing lack of experienced IT professionals, reinforced by concerns in late 2017 that the Government had set aside a sum of £20 million to deploy a team of ‘ethical hackers’ to identify system weaknesses highlighted by the infamous WannaCry cyber attack
Before this begins to look like a damning onslaught on the data security protocols of the NHS alone, the private and digital sectors fare little better. If you factor in health apps and fitness tracker information, then the data breaches stack up thick and fast:
MyFitnessPal leak
The MyFitnessPal leak of the personal details of 150 million people failed to inform users of the breach until a full four days after the company became aware of it. Worse still, it had actually happened a month beforehand. Although the information harvested amounted to usernames, passwords and email addresses rather than credit card details, this, combined with activity data and other health information would enable hackers to build up a very detailed profile of an individual indeed.
For example, fitness trackers don’t just track what you do, they track where you are, and when you’re there – gold dust for anyone with sinister intentions.
BUPA’s leak
BUPA’s 2017 breach affected half a million customers on its international health insurance plan. The member of staff who copied information including names and dates of birth lost their job, and BUPA had to make a full report to the Financial Conduct Authority; however, it shook confidence in the provider.
Human error.
Human error or hack, the compromise of our personal data seems to be becoming so common that there’s a danger we’re switching off. There’s little doubt that an already overstretched NHS can’t siphon off an extra few million into training the IT professionals it lacks. For now, it’s still down to the consumer to check their records, change their passwords, and be vigilant.
And if your organisation handles sensitive information about your customer’s wellbeing, behaviour or activities, are you 100% certain your systems are as watertight as they can be?