June’s ransomware attack on Synnovis, the scientific organisation that manages labs for NHS Trusts and GPs, has highlighted concerns over NHS patient data security and existing IT infrastructure. The breach led to thousands of postponed appointments and the release of 400GB of private patient data, including patient names, dates of birth, NHS numbers and blood test descriptions, leaving many concerned that the stolen data would be used for fraudulent activity.
However, cyberattacks are not the only threat to patient data. A range of diverse risks also exist on systems, applications and hardware that store sensitive information, and each of these vulnerabilities must be addressed to protect the healthcare sector from future attacks.
These attacks emphasise the need for healthcare providers to holistically evaluate their patient data management systems and ensure they are safeguarded against all threats.
Evaluate existing IT infrastructure
All businesses face cybersecurity challenges. For the healthcare sector, the magnitude of connected networks and devices exposes organisations to external risks, with many hospitals and clinics maintaining patient data in outdated operations systems. In fact, Prof Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC) recently warned that “In parts of the NHS estate, it’s quite clear that some of the IT is out of date.”
This is important as once software passes its end-of-life and is no longer updated, it stops receiving updates, increasing the likelihood of the information housed within it can be easily accessed by cybercriminals.
This was proven in 2019 when software technologies company Check Point tested the cybersecurity of a Philipps HDI 4000 ultrasound machine and was able to gain access to the machine’s entire database of patient images. The vulnerability was caused by the machine using Windows 2000, which was passed its end of life and so no longer received updates and is prone to attacks.
To mitigate this threat and limit exposure within healthcare organisations, their systems must be regularly evaluated for weaknesses. This can mean separating outdated systems from networks storing patient data to ensure they are not used as a back door by cybercriminals.
Identify the best cloud solution for hospital workloads
NHS Guidelines advise health and social care providers to use cloud computing services to house data, with all data needing to be hosted within the UK borders to ensure data sovereignty. As a result, many public institutions leverage public cloud systems – a multi-tenant environment, with different customers using the same pool of IT infrastructure – to store sensitive data.
However, in June, Microsoft admitted there was no guarantee of sovereignty for UK policing data stored on its hyperscale public cloud infrastructure, raising questions over the level of oversight and control the police could ensure with its data. Organisations that use this platform are at risk of their data being transferred internationally, opening routes for foreign governments to access British citizen’s data.
As a result of this and other damaging cyber incidents, many people are concerned with how the NHS stores patient data, with 87% of the public in favour of keeping their personal healthcare data stored in the UK.
To safeguard patient data and ensure they are compliant with the sovereignty guidelines, IT leaders need to investigate their current cloud solutions and check the risks affecting patient data. Easing concerns by introducing a suitable sovereign cloud designed to meet legal, regulatory and operational requirements will enable NHS trusts to embrace the cloud while ensuring patient data is kept in the UK.
Create secure physical locations for health data
Sensitive patient information is also vulnerable to inefficient data management, particularly when data centres that are located on-premises run essential systems required to keep hospitals and clinics running. In July 2022, overheating and power outages in two data centres at Guy’s Hospital and St Thomas’ Hospital occurred when ageing technological infrastructure failed to cope with record temperatures and overheated, subsequently causing weeks of disruption to clinical services and patient data. This IT failure was attributed to a combination of factors, including insufficient cooling systems, outdated technological infrastructure, and fragmented management of the data centre’s various components. To mitigate physical security issues, hospitals and clinics should review their current data storage plan and adopt a secure private sovereign cloud service managed by infrastructure experts to reduce the reliance on outdated and insecure data centres.
Setting the healthcare sector up for success
Attacks on NHS data like the 111 service attack on Advanced’s health systems and the Synnovis data breach set hospitals and clinics back months and highlight vulnerabilities within the healthcare sector to external threats. Yet, cyber threats are not the sole risk to patient data. It is also necessary to make sure this data can be viewed by medical practitioners to ensure the availability and resiliency of this data.
To ensure data is readily available and resilient, IT and security leaders need to follow this blueprint to enhance their security and protect patient data against all forms of disruption.
By Rick Martire, General Manager for Sovereign Services at Rackspace Technology