Keeping your data secure

The online scams industry has boomed over the last 18 months as criminals take advantage of the pandemic to steal people’s personal information and their money. Raj Patel looks at how you can protect your practice and explains the measures Healthcode takes to keep its customers safe.

While robberies, thefts and homicides in England and Wales fell during the pandemic, computer crime bucked the trend as we spent far more of our work and leisure time online. 

According to the latest crime survey from the Office for National Statistics, there were an estimated 1.7m computer misuse offences in the year ending March 2021, up by 85% from the year ending March 2019. 

In particular, cases of unauthorised access to personal information such as hacking – which included large-scale data breaches – rose by 162%.  

Meanwhile the Government’s latest annual cyber security breaches survey published in March 2021 revealed that 39% of businesses and 26% of charities report having cyber security breaches or attacks in the previous 12 months, most commonly phishing attacks. 

Of these, one in five ended up losing money, data or other assets while many more experienced serious disruption. 

Although this was lower than 2020, the survey found that Covid-19 seems to have made cyber security harder for organisations. 

For example, it notes that fewer businesses are now deploying security-monitoring tools or undertaking any form of user monitoring, which ‘possibly suggests that they are simply less aware than before of the breaches and attacks their staff are facing’. 

Tempting target

This should concern independent practitioners because healthcare presents a tempting target for cyber criminals. 

According to the cyber security breaches survey, 58% of private businesses hold personal data about customers, but this rises to 80% in the health, social work and social care sector and 82% in the finance and insurance sector. 

However, healthcare organisations consistently report the highest number of data protection breaches to the Information Com­missioner’s Office (ICO). 

The latest statistics from the ICO for 1 April-30 June 2021 show there were 607 data security incidents in the healthcare sector – including 108 cyber security incidents – compared with 180 for finance, insurance and credit, including 53 cyber security incidents. 

And last year, Independent Practitioner Today reported a study, showing that as many as 67% of healthcare organisations had experienced a cyber security incident in the 12 months to February 2020. 

These included the introduction of viruses or malware from third-party devices, staff sharing information with unauthorised recipients and malicious links in emails and on social media (28%).

What can you do?

As the pandemic has created the ideal conditions for cyber criminals, that should also prompt us all to reassess our data protection measures. 

Even if you have been the victim of a crime, few patients are likely to be sympathetic when they hear that their sensitive data has been stolen. 

And in addition to the potential disruption and embarrassment, the ICO could also hit your business with a financial penalty if it finds that you have breached the Data Protection Act. 

In July 2021 for example, the transgender charity Mermaids was fined £25,000 for failing to keep users’ sensitive personal data secure.

The following cyber security tips should help steer your practice in the right direction:

1 Protect your systems

Invest in security software to protect your practice systems from malware such as viruses, trojans and ransomware. The software should be set to automatically scan files and webpages and whole system scans should be carried out frequently.

2 Keep up to date 

Don’t use old operating systems, software, internet browsers and apps which are no longer supported by the provider, as they will be inherently less secure.

3 Maintain a data protection policy

This written document is a set of principles, rules and guidelines that ensures your practice complies with data protection law. Ensure that everyone is aware of the policy and trained in how to carry out their data protection responsibilities.

4 Have a practice IT security policy

This should cover aspects of security such as internet and email use, passwords and the safe use of mobile devices – encryption. 

There should be regular training in cyber security for staff to make them aware of the latest threats, such as suspicious emails. Non-compliance with the policy should be a disciplinary matter. 

5 Follow good password practice 

Individuals should have their own username and password that controls their level of access, and user credentials should never be shared. 

The same password should not be used for multiple accounts and should be regularly changed. 

6 Encrypt the sensitive information you send or share

Standard unencrypted email is inherently insecure and should never be used to communicate confidential information. 

7 Keep track of data

If you don’t know how data is processed and stored, how will you know if there has been a breach? The sooner you are aware of a security breach, the sooner you can act.

8 Monitor access 

Staff should have a valid reason to access personal data as part of their work. Ensure all access is logged for security and audit purposes.

9 Maximise your resilience 

Back up your systems so that you can restore your data and get back up and running quickly; for example, in the event of a cyber-attack. 

10 Know how to respond to an attack

Report serious cyber-security incidents to the National Cyber Security Centre (NCSC) which also has advice on how to manage incidents. 

You are legally obliged to report any personal data breaches to the ICO within 72 hours of becoming aware of them, unless you can show that the breach is unlikely to pose a risk to individuals’ rights and freedoms. 

For healthcare organisations, reporting is advisable.

11 Seek specialist advice 

Talk to an IT security professional about your IT security measures. The NCSC has guidance and resources for small businesses or you could sign up to the Government’s Cyber Essentials scheme which should help you guard against cyber-attacks. 

You can find best practice information for healthcare organisations on the ICO website and NHS Digital – important if you have access to NHS patient data and systems. 

12 Check the security credentials of your suppliers

Ask service providers about the measures they have in place to protect your data. You might comply with data protection law but do they?  

Cybercrime is not the only potential threat to your data. Many incidents reported to the ICO are caused by human error, such as a misdirected email. 

But as malicious attacks become more numerous and more sophisticated, everyone in the independent healthcare sector has a responsibility to shield patients’ and practice data from attack and this is a responsibility that Health­code is happy to share. 

Raj Patel (right) is data protection officer at Healthcode