Safeguarding patient data: Four steps to consider when assessing your IT infrastructure
A recent cyberattack on major hospitals in London has once again called into question the security of patient data in the UK.
The ransomware attack, which targeted Synnovis – an agency that manages labs for NHS Trusts and GPs – led to operations being cancelled and emergency patients being diverted elsewhere. More than 1,000 planned operations and over 3,000 outpatient appointments were postponed, with King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust among those affected.
As part of this attack, patient data managed by Synnovis was stolen, including patient names, dates of birth, and NHS numbers. Since then, the cybercriminal group responsible has shared almost 400GB of private information on the dark web, leading to cyber security experts calling this “one of the most significant and harmful attacks ever in the UK.”
With recovery expected to take months and systems still at risk, this latest attack highlights the need for enhanced data security, compliance, and control over sensitive information.
It is now unfortunately only a matter of when, not if, your patient systems will become a target. Healthcare providers therefore need to reassess how they safeguard their patient data to better protect themselves from similar attacks. But this isn’t just about the threat of cyberattacks. With diverse risks to the systems, applications, and hardware used to store patient data, it’s important to look more holistically at how patient data can be more securely managed.
Assess existing systems
A mandatory policy that enforces the continuous assessment and management of risk across your systems is essential to mitigating the threat of a cyberattack.
Legacy systems are often the weakest link in healthcare providers’ cyber resilience. Once they reach end of support they stop receiving critical updates, putting them at risk of attack and, in turn, all information stored on it at risk of being exposed. Equally, unpatched vulnerabilities in out-of-date operating systems and application software create an entry point for cybercriminals to exploit.
This was the case in the 2017 WannaCry attack, where cybercriminals took advantage of a flaw in the Microsoft Windows XP and Vista operating system. Many NHS Trusts were exposed, as they were still using Windows systems past their end of life, and no longer receiving critical security patches from Windows for new vulnerabilities. The attack provoked widespread disruption to services, costing the NHS a total of £93 million through services lost.
This is also true for connected medical devices, such as mammography machines, radiology systems, and MRI scanners. Research revealed that 83% of medical imaging devices were running on old operating systems, such as Windows 7, and were no longer receiving updates, making them more susceptible to attack.
Conducting continuous vulnerability assessments of systems, so that they can be mitigated, is therefore critical to reduce organisations’ exposure. Where this isn’t possible (for example, with certain medical devices), healthcare providers must isolate and ringfence connected devices from networks that hold patient data, so they can’t be used as a back door to gain access.
Choose the right cloud solution for healthcare provider workloads
Data security is often viewed through the lens of cybersecurity, but internal infrastructures can also leave patient identification information exposed. UK NHS guidelines state health and social care providers should use cloud computing services for hosting patient data. To ensure data sovereignty and to align with these guidelines, data must only be hosted within UK territories.
However, there are security concerns over how these public cloud services (multi-tenant environments with different customers using the same pool of IT infrastructure) are leveraged by institutions. Recently, Microsoft admitted no guarantee of sovereignty for data stored on their public cloud infrastructure, following an FOI request that found that international data transfers on this platform opened the door for foreign entities to access British citizen's data. By choosing to use providers with only global support options and solutions as opposed to a UK cloud provider, organisations risk exposing their data to the provisions of The Clarifying Lawful Overseas Use of Data Act 2018 (US Cloud Act). This allows US federal authorities to subpoena the data, even if it is physically stored in the UK.
IT leaders must interrogate their existing cloud solutions to check they are not inadvertently putting their patients’ private data at risk. A fully compliant alternative solution would be Sovereign Cloud, a cloud computing infrastructure that is designed to meet the legal, regulatory, and operational requirements of a particular country. Adopting a dedicated Sovereign Cloud solution would enable healthcare trusts to embrace the cloud while guaranteeing highly sensitive patient data will always be kept within the borders of the nation-state.
Creating a robust team
Across IT and security roles, the nation is facing a significant talent shortage. And the healthcare sector has not gone unscathed, particularly when some private organisations can pay significantly more for the same positions.
Healthcare providers have two routes they can take. Firstly, they can look to tackle this talent gap with a comprehensive hiring, training, and retention plan that can bolster their in-house skill set.
Alternatively, they can partner with services companies who have experience managing complex IT infrastructure and can slot into existing teams, providing specialist insight and guidance, without adding to the team headcount.
By addressing this skill gap, healthcare organisations can ensure their security and IT systems are being maintained to best practice and continuously monitored, reducing the chances of exposure either through cyberattacks or misconfigured environments.
Check the physical locations for data storage
The mismanagement of data centres can also pose a threat to patient information. These data centres host the critical systems keeping healthcare organisations running and require regular monitoring and maintenance to ensure optimum availability, performance, and security. A drop in this posture puts the entire facility and therefore patient information at increased risk.
For example, Guy’s Hospital and St Thomas’ Hospital faced this challenge in July 2022 when London experienced record-breaking temperatures of 40°C. This led to two of the hospital’s data centres suffering failures due to overheating. The recovery of the IT systems that were affected lasted several weeks and caused widespread disruption to clinical services and patient care within the Trust.
The subsequent review found that sub-optimal cooling systems, ageing technological infrastructure, and distributed roles for managing the elements of the data centre were the root cause of the IT failure.
To safeguard against this possibility, healthcare providers should consider reviewing their existing data storage plans and look to move towards a secure private sovereign cloud service provided by data centre and infrastructure experts, removing the pressure of maintaining data centres, while storing data in a secure, sovereign environment.
Planning for the future
Patient data is becoming increasingly vulnerable to outside attacks, with the Synnovis attack being one of over 11 million ransomware attempts to have taken place in the last two years in the global health sector. But it’s not the only risk posed to patient data. Ensuring that it can be accessed by medical practitioners is as critical as keeping malicious actors out, so maintaining the availability and resiliency of the data is also key.
IT and security leaders must lean into these steps to improve their resilience and better secure patient data, safeguarding it against future disruption.