Data breach threats

By Robin Stride

Private healthcare providers have been warned to wake up to escalating data breach threats from organised criminals using a vast range of tactics on the unwary.

Cyber-attacks are only one method fraudsters try to access confidential information, the audience at market analyst Laing­Buisson’s Private Healthcare Summit 2024 heard.

Criminologist Dr Nicola Harding’s message to independent health sector businesses was stark: ‘We have to consider that this isn’t an “if”, this is now a “when”. 

‘You are all a target. You have to plan as though it is going to happen because if you’re not planning, the outcomes for organisations that haven’t got a plan are far more dire.’

Her warnings came after a law firm’s report labelled the health sector as a frequent violator and top spot for data breaches in 2023, accounting for around one-in-five reported data breach cases (see ‘Healthcare is worst data breach offender’). 

Dr Nicola Harding

Cyber-security expert Dr Harding, chief executive of We Fight Fraud, said: ‘Criminals are the creative human beings that are using their creativity to circumvent your systems and processes. What we need to get better at doing is planning and ensuring that our humans on our side are just as sharp and just as switched on as they are.’

Attractive to criminals

Data was attractive to criminals because it could be used to compromise, exploit and access further revenue. ‘But we need to get away from this idea that the worst thing that can happen to us is a cyber-attack. Actually, the worst thing that can happen to you guys on the whole is a data leak. 

‘And a data leakage can happen in different ways. A cyber-attack is one of them, but data leakage happens with poor GDPR [General Data Protection Regulations] practices; it happens when you don’t shred documents and they end up in the wrong hands; it happens when people have conversations that should be happening in private – on the train, on the way to work – about a patient. 

‘It happens when you open your laptop and you’ve got your records for the day because you’ve maybe got to travel from London up north and that’s three hours on the train when you want to get some work done. But the person next to you is looking over your shoulder at everything you’re doing.’

She added: ‘You don’t know who’s watching; you have to treat every potential piece of data like it’s the royal family’s data.’

Dire consequences

Dr Harding said the data compromise cycle was necessary for organised crime to work and the consequences included terrorist finance, serious child sexual abuse and wars. ‘This isn’t a simple small “Oh, I forgot to shred those documents”. The consequences of it down the line can be extremely dire.’

While technology could do amazing things to prevent data breaches, her work showed it was humans who created compromise. 

Staff training was vital and companies should ensure they had instant response plans not just for a cyber security breach but for anything relating to data compromise. These should include their PR response, how they would talk to the public about it and regulatory expectations about what was likely to happen when people’s data was lost. 

Delegates heard from an IBM 2023 report that US organisations with high levels of instant response planning and testing saved $1.49m compared to those with low levels.

Only one-in-three data breaches were identified in-house. ‘Sixty-seven per cent of breaches in 2023 were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organisations nearly $1m more compared to internal detection.’

Dr Harding warned that data breaches could arise from someone walking up to their reception desk, through a phone call to staff or when someone identified their workplace because they left their lanyard on in the pub after work.