Healthcare leading the way in data security awareness
Patient records have long been one of the most sought-after data sets among cyber attackers, and stolen medical data is a cornerstone of the cyber criminal economy. Personal identifiable information (PII) such as names, dates of birth and addresses can provide huge value to attackers, enabling a wide range of criminal activity. The details can be used to commit fraud directly or can enable a cyber criminal to craft a devastatingly well-targeted social engineering attack to deceive the victim into giving up more information or installing malware.
Records stolen from healthcare providers are a particularly good source of PII because they store so many different attributes about an individual in one place. Our research has found that an average of 74 attributes are held per medical record, compared to an average of 49 across all other types of data.
Further, the data is more likely to be up-to-date and accurate than an alternative source such as a retailer. Individuals are much less likely to lie about things such as their data of birth to their healthcare provider, and there is more of a vested interest in keeping the details correct.
The nature of patient data also enables some unique opportunities for criminals, such as fraudulently acquiring prescription drugs or medical equipment, or filing false claims with health insurance providers.
UK providers leading the way
The good news is that UK healthcare providers appear to be taking this threat seriously – and in fact healthcare data appears to be more rigorously assessed than any other type of data according to our research. Trustwave commissioned industry analyst firm Quocirca to conduct a survey of 500 senior IT managers in the Australia, Canada, Japan, UK and the US and establish how much value they placed on data within their organisation.
The study included organisations from a wide variety of industries, with a focus on finding out what kind of data was considered to be the most important, and how it was managed and secured. One of the most important considerations was whether a risk assessment had been carried out for each data type.
An impressive 90% of UK organisations that hold patient data reported that they had undertaken a comprehensive risk assessment – far ahead of the global average of 79%. The UK even edges ahead of the 85% average in the United States, where healthcare is very tightly regulated by HIPAA, the Health Insurance Portability and Accountability Act.
Our research also found that the respondents believed patient data to be the second most highly valued data subject among organisations, with an average value of $1,500 per record. Only shareholder data was valued more highly, at $1,700 per record, while by comparison, an average consumer record was valued at just over $1,000.
- Beyond electronic medical records: Healthcare's second wave of digitisation
- Hyland to acquire OneContent from Allscripts
- Optimising the care pathway – A vision of connected healthcare delivery
We also found healthcare records to be by far the most valuable dataset available for purchase on the dark web, with each record commanding a mean price of $250. This price tag far eclipsed other commonly stolen data such as bank records, which were valued at just $4 each.
The influence of regulation
When it comes to looking after data, the UK’s global lead is largely due to the number of healthcare organisations operating through the NHS. Alongside this comes fairly strict regulation and the influence of the Information Commissioner’s Office (ICO). The ICO is well known for taking action with organisations found to be breaching the Data Protection Act, with average fines of £114,000 for poor data security, and the largest fine exceeding £400,000.
With a few exceptions, it is a statutory requirement for every organisation processing personal information to register with the ICO. Healthcare providers are also under additional pressure to report IG SIRI (Information Governance Serious Incident Requiring Investigation) at the earliest opportunity and handle their investigation efficiently.
While it’s true that UK healthcare providers are leading the way when it comes to assessing the risks facing patient data, it’s also the case that we see a regular influx of security incidents handled by the ICO. While last year’s WannaCry attack had many providers on edge, it’s important to remember a data breach is not necessarily the work of an attack by cyber criminals. The majority of security incidents that land providers in trouble with the regulators come from within the organisation, such as data that has been accidently sent to the wrong recipient or accessed improperly by an employee.
Keeping patient records safe
The large number of healthcare regulators having regulatory action taken against them is partly due to the higher burden on reporting incidents compared to other private sector enterprises with less regulatory pressure. However, many of these incidents stem from poor data management policies and could be easily prevented.
Risk assessments should be comprehensive and take into account external factors such as third-party vendors and contractors, and the prevalence of bring-your-own-device (BYOD) policies that can make it more likely for data to be shared or lost. We found email security to be a particular blind spot for many organisations, despite the fact that confidential medical data is commonly leaked over email – whether maliciously or through the easy mistake of typing the wrong recipient.
One of the most effective ways of addressing these security issues is to take on a managed security service provider, or MSSP. This will enable the organisation to enhance their responsiveness and remediation abilities, supplementing the abilities of their internal security teams without consuming their budget. Having on-demand access to a team of experienced security practitioners also enables a healthcare provider to dynamically scale up their resources to respond to a crisis.
By combining attention to security best practice with provisions for more advanced incident response and investigative abilities, healthcare providers can ensure the patient data in their care is kept safe from theft or loss.
Ireland is key launchpad for US expansion into Europe
The first transatlantic cable was laid between Newfoundland and Valentia Island in County Kerry, Ireland, in 1858. It was a flawed effort; the connection was poor, causing enough issues with efforts to send telegrams along it that major repair efforts were set underway immediately - efforts which ended up further damaging the cable line, severing the connection just three weeks later.
This first step towards transatlantic subsea communication, shaky as it was, laid the foundations of more than a century and a half of information exchange across the ocean, between the East Coast of North America and Western Ireland.
It’s been 163 years since the completion of the first transatlantic cable, an event which cemented Ireland’s position as the landing stage for subsea connections between Europe and the Americas. That position has, in no small way, been a driving force behind the country’s modern role as a landing stage for US and Canadian firms looking to do business in Europe.
Today, some of the largest firms in the world, like Pfizer, Janssen, Zurich, Metlife, Google and VmWare use Ireland for their European Headquarters. The combination of an English-speaking workforce (a boon made all the more important as Brexit makes the UK and the north of Ireland an increasingly complex environment that provides diminishing opportunities to access the rest of Europe), a cultural and regulatory landscape that welcomes foreign investment, and world-class connectivity makes the country an unparalleled choice for firms looking to establish a foothold in the EU.
As a result, Ireland has become one of the world’s leading data centre hubs.
Based on leading data centre firm Interxion’s Data Gravity Index, Dublin will be among the top five European cities that will contribute to Europe’s growth in data in the coming years, following London, Paris, Frankfurt and Amsterdam. The amount of data generated in Dublin itself is expected to grow alongside its economic expansion, with the Data Gravity Index also predicting that Dublin will outpace cities and data centre hubs like Mexico City, São Paulo, and even Shanghai, to be among the top 20 cities to experience annual data growth by 2024.
Ireland ranks 6th in the 2020 EU Digital Economy and Society Index (DESI), meaning that it is among the leading ranks of EU Member States in terms of the uptake and use of digital technologies. Likewise, the trend to locate data centres in Ireland serving overseas clients will continue to generate increasing amounts of international traffic
Managing the Dublin Data Boom
According to Interxion, subsea connectivity will continue to play a massive role in helping both international and domestic organisations digitally transform themselves to meet the challenges of changing markets post pandemic.
As the pace of global digital transformation - and the subsequent need for more connectivity - accelerates like never before, this rapidly developing world is driving urther demand for these cables as individuals and organisations become increasingly reliant on subsea cable’s exceptional data speed and capacity.
According to experts at Interxion, this connectivity will be pivotal to Ireland’s continued success in attracting international companies in the technology, pharmaceutical and financial sectors.
The subsea cable industry is a key contributor to the Irish economy across many sectors. The draft National Marine Planning Framework reported that subsea international networks make Ireland an attractive region for investment for the technology and digital sectors. Telegeography states that there are twelve existing subsea cables connecting Ireland to the US and UK, and a further four systems are under development. The Iish government’s statement on the Role of Data Centres in Ireland’s Enterprise Strategy identified Ireland as a location of choice for many different sectors reliant on digital and telecommunications capabilities, all of which in turn rely on subsea cable interconnectivity.
Subsea cables are of strategic importance to Ireland’s future as a catalyst for economic and societal prosperity. Ireland can be the ideal location for your company’s expansion plans. To find out how, you can hear from leading experts throughout the data centre and digital infrastructure industries on June 15, 2021, as speakers from the IDA, Aqua Comms, GTT Communications, euNetworks and Interxion discuss subsea cabling, digital transformation, Data Gravity and the fate of Ireland’s digital economy.
Key topics will include:
- Key facts about existing subsea infrastructure,
- Future plans,
- Challenges (including Marine Maintenance) and opportunities,
- Terrestrial networks (demand vs supply);
- Ireland's role as a gateway to Europe
The virtual panel (which is taking place between 10:30 PM - 11:30 PM JST on June 15, 2021) will conclude with a 20 minute Q&A. Mike Hollands, Senior Director of Market Development at Interxion, will moderate the event.