The cost of the WannaCry ransomware attack that hit the National Health Service (NHS) last year has finally been revealed by the UK Department of Health and Social Care as, and I hope you’re sitting down, a whopping £92 million. The bulk of this, some £72 million, was spent restoring disrupted services and recovering data.
A review authored by NHS CIO Will Smart of how it handled being collateral damage of the scattergun ransomware worm, made several strategic security recommendations. Amongst them the introduction of a minimum-security standards bar, by way of mandatory compliance with the National Cyber Security Centre endorsed Cyber Essentials Plus (CE+) accreditation scheme. Yet NHS Digital itself appears to have taken the view that CE+ is a good benchmark but wouldn’t necessarily offer the NHS value for money within the context of ensuring all providers were accredited.
Say what now!
This is the same NHS that one freedom of information request recently revealed to be distinctly lacking when it comes to policy regarding instant message app usage. Of 113 NHS England trusts responding to that request, 62 percent had no such policy; of those that did, some state the preferred platform is WhatsApp.
Now WhatsApp is many things, but being a secure platform over which sensitive and confidential patient data can be transferred by medical professionals without a second thought sure isn’t one of them. Three years ago The Independent newspaper reported that as well as using WhatsApp, almost half of the doctors questioned admitted to having sent “a photo of a wound or x-ray to a colleague” using their smartphone camera and messaging app, and a 27.5 percent said they still had clinical information sitting on their smartphone.
Say what again!
What’s interesting here is that report made it clear that nearly three-quarters of the doctors interviewed, and a third of the nurses, really wanted a secure method of sending that kind of patient data using their own smartphone device. Equally interesting is that it would seem nothing has changed all that much since. Dr Jonathan Bloor states that “WhatsApp is being used outside current information governance rules, often without local NHS oversight and with huge confusion about just how secure information held in WhatsApp really is.”
And he’s right, but it’s not just an NHS problem. Globally speaking, healthcare is a hugely attractive sector for the bad guys, aided by an often quite shocking lack of 360-degree security thinking. One US study by a couple of Massachusetts General Hospital physicians found 176.4 million records were compromised in 2,149 breaches between 2010 and 2017. Given that patient data files can exchange hands on dark web markets for $20 an item, at least ten times more than a stolen credit card and can be used for everything from identity fraud to blackmail, you start to understand why the bad guys love this sector so much.
So, what’s the answer? Well it sure isn’t continuing to wear the legacy thinkers’ blinkers and chant the network and endpoint security mantra above all else. Even end-to-end encryption platforms won’t solve the thorny issue of patient data being stored on the docs’ smartphone or tablet if it gets lost, stolen or compromised. What’s needed is some original thinking that brings security to this most deserving of data types, without adding to the ease of use issues that have driven our heroes of health to use their own insecure devices in the first place.
Doctors and nurses aren’t using their own devices for the hell of it, they are doing so to provide the best care they can in often highly stressful, sometimes life and death, situations. They cannot rely upon clunky legacy data sharing infrastructures (pagers and fax machines sadly haven’t gone away), they need to be able to get that information to the right people right now and know that it’s been seen and acted upon.
Here’s the thing: what if those healthcare professionals could use their own smartphone, tablet or laptop without the security and privacy of patient data being an issue? The good news is that they can, thanks to Pushfor where no matter what the content all the recipient ever sees is a view of the data rather than the data itself being transferred? There is no data on the device to put patient confidentiality at risk. What’s more, it’s a view of the data that can be time-limited, geo-fenced and revoked. The powerful Pushfor analytics engine generates a fully detailed audit trail so you know who has seen what, where they viewed it and for how long, and can be ‘pulled’ back at any time so it’s no longer viewable.
Pushfor allows healthcare organisations to provide controlled and secure access to confidential information, not just internally but between organisations, using an app that’s every bit as intuitive and easy to use as WhatsApp but with a whole lot more data protection and privacy functionality built right in…