The impact a data breach could have on your hospital - and how to avoid it

When it comes to data breaches, UK Hospitals are especially vulnerable

According to a report from the Ponemon Institute and Verizon Data Breach Investigations, data breaches in the healthcare system are more common than in any other sector, with two thirds of healthcare settings becoming victim to breaches in 2019 alone – and the numbers are only continuing to rise (you can read about 2019’s biggest healthcare data breaches here). 

How does this happen? 

These data breaches tend to occur as a result of: 

• improper IT security, leaving systems open to malicious hackers
  
• the unauthorised access, sharing, and/or disclosure of a healthcare setting’s data 

• loss or theft of devices, such as phones and computer equipment 

• other factors such as improper data disposal and leaks 

And why is the healthcare sector so vulnerable? 

Research has found that personal medical records are around ten times more valuable to hackers than credit card information.  
 
This is not only because of the volume of data available (the NHS alone has access to 55 million high-quality primary care and 23 million specialist care records) but the nature of the data they can access, such as names, addresses, dates of birth, diagnosis codes and billing information.  
 
This data can then be used or sold for profit; for example, creating fake identification in order to purchase medical equipment or medicines to resell at a higher price, or used to create fake insurance claims. 

What’s more, unlike credit cards (which can be cancelled as soon as fraudulent activity is suspected), medical identity theft can go undetected for a much longer period. This means that hackers can make the most of this information for significantly more time than they could with credit card details. 

What impact do these data breaches have on your hospital? 

Unfortunately, as well as being worryingly common, a data breach in healthcare systems can have a detrimental and often long-term impact, and in a number of ways: 

1. Financial impact 

On average, data breaches in the healthcare system cost around £5.2 million – which is almost twice as much as the global average (£3.2 million) – and this figure is only set to rise over the coming years. 

As an example, back in 2018, the NHS suffered a devastating data breach called the “WannaCry” hack, which locked workers out of 200,000 computers, and subsequently cost them £92 million pounds in cancelled appointments with patients. 

With the implementation of the GDPR in 2018, the costs of this only increase. By law, organisations are required to report any data breaches to the ICO. However, it can be some time before many healthcare organisations realise they have been the recipients of a breach, or they may not even find out until they have been fined.  

So, in addition to money lost directly as a result of the breach, healthcare settings may also lose as much as £17.8 million, or 4% of their annual funds – whichever is greater. 

2. Organisational impact 

Not only do data breaches in the healthcare system affect a setting’s financial position, they can also have negative effects on their productivity and reputation.   

Following a data breach, healthcare professionals can find that their time is spent more on handling the breach than on improving their services, or on direct patient care.  
 
This includes notifying and proving affected parties and individuals with information on the breach, alerting the ICO, and alerting the media if the scale of the breach is large enough (in order to get the message out to affected patients as quickly as possible). 
 

Due to these media alerts, healthcare settings often find themselves at the centre of press attention, the impact of which can last for months, or even years. More often than not, patients lose trust in the setting, and will look elsewhere for healthcare provision. 

 
As explained by Lisa Sotto, the chair of a global cybersecurity legal firm:  

"Organizations need to work very hard to try to both maintain the trust of patients immediately upon announcing a data compromise and also regain trust to the extent trust is compromised." 

3. Personal impact 

The impact of a data breach can also have severe consequences on individual patients and healthcare professionals.  

For healthcare professionals, data breaches mean a large increase in workload – not only from managing the data breach that has occurred, but (as almost 90% of healthcare data are caused by human error), staff will also need to work harder to ensure that the risk of further breaches is reduced.  

For the staff member(s) found responsible for the gateway to a data breach – such as leaving a computer logged in or inappropriately sharing personal information – the consequences can be devastating, including the end of their career. 

For patients, a data breach not only means the invasion of their privacy, but has even been found to result in increased fatalities.  
 
According to one study, hospitals that experience data breaches see a 0.36% rise in patient fatalities that occur within 30 days of a heart attack, for at least three years after the data breach. This is likely a result of professionals having to spend more time resolving the breach than on patient care. 

What can be done to avoid hospital data breaches? 

Thankfully, there are a number of preventative measures that your hospital can put into place to significantly reduce your risk of a data breach: 

 
1. Complete a risk assessment 

In accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules: 
 
“Appropriate administrative, physical and technical safeguards need to be in place to ensure the confidentiality, integrity, and security of electronic protected health information.”  
 
Therefore, the first step you should take to prevent a data breach is a full risk assessment of your hospital’s IT systems. This will enable you to thoroughly examine any potential vulnerabilities and threats, and fix these in line with your hospital's security policies. 

2. Undertake regular security audits 

Your risk assessment is not the end point, however. Once this has been completed, you will need to undertake regular security audits to keep track of how robust your IT systems are against potential data breaches on an ongoing basis. 

3. Create an incident response plan 

Once you have completed your audit, ensure you create a robust incident response plan. This way, staff members in your IT department will be able to spot any potential data breaches before they escalate, and deal with these efficiently.  

4. Regularly implement employee training 

As mentioned above, 90% of data breaches in the healthcare system are a result of human error. Therefore, regularly training medical professionals and other hospital employees on security and patient data privacy regulations is a vital step in reducing the chances of a breach.  

5. Encrypt your hardware and software 

Encryption of your data means that, should any information be intercepted by hackers, they will be unable to read and use it. This therefore offers an essential extra barrier of protection against any data breaches that may occur.  
 
However, be sure to encrypt your hardware as well as your software, as a simple password can be used to decrypt software data. Hardware encryption processes, on the other hand, are separate from the rest of the device, and are therefore more secure. 

6. Create a strict BYOD policy 

If your hospital has a BYOD policy, review and amend it to ensure that it also follows the guidelines set out by HIPAA. This should include guidelines on user-authentication practices, installing firewalls and other security software, app regulation and so on.  

7. Segment/subnet your wireless networks  

By segmenting or subnetting your wireless networks – for example, by having one wireless network for public use and another for patient information – you are significantly less likely to incur a data breach. This is because segmentation makes it harder for hackers to perpetrate an attack throughout your entire network.  
 
As a bonus, this will also significantly improve performance as traffic using the network will be lower! 

8. Safely dispose of confidential information 

Any patient information that is no longer required must be destroyed in a secure way to ensure that hackers do not have access to it, whether this is through electronic deletion or physical shredding of documents.   

T-Pro and data security 

Robust & Secure Cloud Offering 

T-Pro’s speech recognition software for healthcare settings has been created with data security at its heart. Combined with our highly available and redundant cloud infrastructure, our security practices ensure that your clinicians will enjoy fast, secure and uninterrupted clinical speech recognition - anywhere, anytime.  

High Security Standard 

In addition to the core Amazon Web Services data centre security, T-Pro is committed to an ever-advancing, security strategy and corresponding controls intended to ensure that the healthcare data you entrust to us is kept private and protected. 

HSCN Connectivity 

Our cloud services may securely connect via HSCN (NHS Broadband Network) into NHS organisations including hospitals and clinics.   

Paperless Working 

What’s more, T-Pro Speech and its accompanying services (Mobile Dictation and Transcription) are designed to eliminate paper trails, meaning that the risk of a data breach with physical copies of patient information is eradicated.