Are the ICO and health service taking data breaches seriously?
Well, frankly, no. And here's why.
The Information Commissioner's Office (ICO), responsible for data governance in the UK and to which all government departments report, just published their latest security report on their 'Action we've taken' web page. The report details which sectors have suffered the most breaches from Q4 '15/'16, and lo and behold, it's the usual suspects: local government, education, general business, as well as the financial investment and credit sector, with health services still leading the way. The health sector still experiences more data breaches than any other industry in the UK - half of all those reported to the ICO, in fact - and 184 in the last quarter of 2015 (compared to the second most breached sector, local government, which reported 43 breaches over the same period).
Cyberattacks are at an all-time high, and with the rise of cloud services and the amount of highly sensitive data the health sector handles, we should all be very concerned. The ICO say that Good Practice department currently has a number of audits planned to address data protection issues within NHS Trusts during the 2016/17 financial year, but no one there is answering the phone to answer anything more about these 'actions [being taken]'. Because we're less than impressed. Yes, they continue to identify and report on these breaches, but what are they actually doing to prevent the attacks – which are, by the ICO's own admission, getting worse – from happening? Are either the ICO or health services learning from these incidents? Because we're hearing the same thing every quarter.
This spike in cyberattacks shows that our perception of hackers as hoody-clad, loner teenagers in their parents' basement needs to evolve with the times. Cyber criminals are now part of an organised crime enterprise driven by dark web and marketplace demands. They now function just as any other business, according to a collaborative research report by KPMG and BT conducting extensive research on would-be victims and successfully pulling off large-scale attacks by blackmailing and/or bribing employees to obtain access to sensitive data. Mark Hughes, BT's CEO of Security, said: "The twenty-first century cybercriminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market. Businesses need to not only defend against cyber-attacks, but also disrupt the criminal organisations that launch those attacks. They should certainly work closer with law enforcement as well as partners in the cyber security marketplace."
The high number of health sector breaches reported is partly due to the size of the health sector, the sensitivity of data handled and it being made mandatory by the NHS to report data security incidents, but the proportion of all incidents represented by the health sector is still the same 41% as in Q3. Data security breaches can cause high levels of distress and damage for victims, yet the state of the industry's IT infrastructure is highly alarming. A number of factors leave the healthcare system wide open to attack: insufficient funding, insufficient staffing, lack of effective training, lack of network awareness and lack of security assessment to name a few. Over the last few years, medical data have become one of the most valuable things on the dark web, and while credit card data will net a hacker a little more than a pound, medical records can fetch up to £30. They also tend to contain a wealth of valuable information, much more useful than what you'd get from a credit card: records of admission, prescriptions, medical histories, and personally identifiable information of not just the patient, but also relatives. Even if the attack isn't financially motivated, hospitals make the perfect target for creating fear, causing havoc or even actual physical harm (which could be carried out without the hacker needing to be present).
And it's us who pay the price. When public or personal data is compromised, the ICO impose fines upon businesses who have failed to properly protect data, and that's great, but these businesses all have insurance to cover it, so it's still taxpayers footing the bill. Businesses lose consumer data, then consumers pay for the damage! It's a lose-lose situation for the customer and it's not good enough. Because so much of it is preventable, and the health services and ICO should be focusing on how to make sure nothing goes wrong in the first place. This is serious. We're talking about our information, and our money, and they're not protecting it; quarter upon quarter, the health service continues to suffer the most breaches, but they're still saying the same things. It's not costing them anything, and they don’t seem to be learning from it or adding resources to help fix the problem. Would health services seriously rather keep paying fines than employ the people necessary to help? WALLIX’s privileged access management solution WAB Suite enables businesses to control, monitor and record administrator sessions across multiple systems, so they can always know who’s looking at and doing what.
The criminals are getting smarter, and so should we be, before it's too late. Recent "botnet takedowns" have put cybercriminals on the offensive, and they're now further improving their own security and developing new modus operandi. On a pay-per-use basis, it can cost as little as 38p to install malware on individual PCs, and a DDoS attack costs just £3.87 per hour to mount but more than £31,000 an hour to defend against. To take the fight to a well-resourced and sophisticated enemy, sustained by a dark market that develops attack tools and strategies more effectively than legitimate organisations build defences, we must develop a streamlined and coordinated approach that sees businesses working together with law enforcement. We need to see health services start taking proper action, and the ICO step up and start giving proper guidance and necessary support such industries.