Back in May 2017, it was in every headline that the NHS had been hit by a serious cybercrime wave with the WannaCry attack. Health records and personal medical information are considered often more sensitive and personal than financial information and could be far more damaging. At the time, the NHS was criticised for using an operating system that was 17 years out of date. The WannaCry attack led to £92 million worth of damage as 19,000 appointments had to be cancelled or postponed. The same attack also saw FedEx and personal computers around the world hit in the cybercrime wave. Given how dangerous cybercrime can be and how sensitive health information is, how can healthcare businesses ensure they are as protected as they can be from future unpredictable attacks?
GDPR benefits consumer data processing
There are measures in place in the policy of the UK, EU and US that ensure healthcare practitioners are taking the utmost care in how they handle personal information and data. GDPR kicked off in May 2018 and promised consumers that it would stop companies being able to mercilessly spam their inboxes with emails, texts, and calls unless specifically opting into such services. Consumers should also be confident in the fact that GDPR also means that businesses need to store data more safely and to quickly report any possible data breaches, which incur fines for improper processing, storage or disseminating of data. As such, the provisions for companies storing data – including personal health information – is a lot more robust than it once was. GDPR affects any company that might be dealing with the data of an EU citizen – so most companies took the opportunity to test the integrity of their own systems in order to fully protect themselves. Indeed, fines received by British Airways and the Marriott hotel chain totalling £300 million show exactly how dogmatic the GDPR laws will be.
HIPAA protects electronic healthcare information
Understanding how important it is to protect healthcare information specifically, the US Congress went one step further and launched HIPAA Compliance which promotes confidentiality and protects healthcare information from data breaches. The HIPAA Compliance legally enforces that all businesses in the US should be protecting ePHI (electronic protected healthcare information). This includes databases of ePHI that may have been forgotten about or misplaced in the storage of data. The Compliance means that businesses and operations have a vested interest in ensuring they protect healthcare information to prevent breaking the new measures. HIPAA revolves around the collection, storage and proper disposal of sensitive data. Certain businesses mean that a lot of hands have to see this information, so ensuring that rules are in place within the business to ensure there is no way errant data could be misplaced are important. Of course, while this will mainly affect healthcare-related fields, there are other companies that require healthcare information, which should also ensure they keep the details safe. Even if a business doesn’t feel as though they dabble with sensitive data, they probably do in some way. Hence the act is a strong way of ensuring all businesses get up to code.
One of the best ways for businesses to show they are sensitive with personal information is to ensure their staff are trained in order to protect data. Not only does each business need a dedicated data officer, but this person or persons will need to disseminate the importance of protecting data to those who will be collecting the data and anyone else involved with the processing of it. Training the entire staff body about the importance of data protection and security shows that the business takes the issue seriously, implores the staff to do the same and reinforces what could happen should a data breach or security attack be found out. While a cyber-attack might not be preventable, watertight protocols regarding sensitive data will still need to be adhered to in order for businesses to stand the best chance possible of protecting their data.
So, back to the NHS. While there might not have been anything they could have done to prevent the actual WannaCry attack, using software that was so outdated wouldn’t have given them the best chance to protect themselves and their patients’ data.
The most obvious answer to ensuring healthcare information is protected is to obviously not be using Windows XP. The NHS is still reportedly running computers and equipment with the outdated and unsupported software. Most healthcare organisations use better software, however, and use this software as the basis of their protecting the healthcare information. Staff training on data compliance is also imperative and ensures that laws are followed and security is upheld. Following GDPR and HIPAA regulations is also important to ensure that companies protect themselves and the sensitive data they have to deal with. If a business shows they aren’t doing so, they could face repercussions. These also give those who the data pertains to the added peace of mind that the companies will be ensuring through legal means that their private healthcare information remains safe and secure.