What does the U.S. and the U.K. have in common when it comes to healthcare? Their healthcare sector continues to be under siege, and renewed efforts need to be made to lift the level of focus on protecting patient information. It is as if a Sword of Damocles hangs over this sector.
As asinine as it sounds, we may have finally reached the tipping point where patients are now accepting, by default, their information will be at risk when they accept medical care?
Government entities, one in the U.S. and another in the U.K. recently issued reports on the state of affairs within the healthcare sector. The U.S. Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force issued its first report to Congress, and the HHS Office of Inspector General (IG) submitted its semi-annual report to Congress. In the U.K., the Information Commissioner’s office (ICO) released its “data protections and concerns” report. The content demonstrates how the issues being faced on the IT side of the healthcare equation know no borders.
The HHS Task Force recognized how vulnerable the sector is with its observation: “Over the next few years, most machinery and technology involved in patient care will connect to the internet; however, a majority of this equipment was not originally intended to be internet accessible nor designed to resist cyber attacks.”
The HHS Task Force recognizes that a cultural change is required if cybersecurity and patient privacy are to be kept from “digitally sourced harm”—a fancy way of saying being affected by a breach.
Interestingly, the HHS IG report highlights as areas of concern enhancing safety and quality care, efficiency of operations, reducing fraud and improper payments, and improving “data integrity and information security.” The HHS IG recognizes the bang that can be acquired via implementing big data analytics to the fraud equation as a means to detect and prevent improper payments. Similarly, the HHS IG identifies “penetration testing” as its area of focus.
While across the pond in the U.K., the ICO notes the 31.5 percent increase in the number of self-reported incidents of data mishandling in the healthcare sector. The report also identifies with specificity that care homes (known in the U.S. as assisted living or nursing homes) continually avoid responding to IOC’s requests. The Register notes how data breaches within the health sector accounted for 43 percent of all data breaches in the UK.
What is not surprising is the amount of breaches across both the U.S. and U.K. that are caused by human error. Sharing patient information in press releases or presentations is a self-inflicted wound. Copying data in a clear-text state to a storage medium, again a self-inflicted wound. Throwing patient files away via normal garbage disposal methods instead of destroying patient data, again a self-inflicted wound. The recent WannaCry crisis brought the U.K.’s health service to its knees was also a self-inflicted wound because they continued to use Window XP machines (an operating system that was end-of-life in April 2014). And of course, the “clicking” of links within emails that serve as the hook-setting event for some of the larger breaches, a lack of awareness by the insider.