The NHS portal scheme is potentially going to give cyber criminals greater access to patient records. We discuss how you can protect your practice.
NHS patient record accessibility – Opening the floodgates to cybercrime?
One in five practices now offer full prospective record access since the beginning of February 2023, enabling their patients to see and new entries to their patient records as they are added. This allows 6.5 million patients with online accounts to automatically view new record entries online and through the NHS App (and other approved patient-facing apps)1.
Whilst this undoubtedly fulfils the aim of providing patients with better access to their health information, it also opens up potential risks in terms of cyber security.
A clear and ever-present danger
Cyber security is more than ‘just an IT issue’; it’s ultimately about keeping patients safe. Whatever the motive for cyberattacks – money, politics, a grudge or simply to see if it can be done, the end result is damage to patient care and to your credibility and reputation as a practice.
Phil Huggins, Interim National Chief Information Security Officer, (NHSX) warns that “ransomware is not necessarily the preserve of organised crime. The main concern with ransomware is that it’s indiscriminate. The NHS has what we call a large cyberattack surface, a big outside edge, because we’re a large sector with lots of people and devices”.
16% of large UK businesses or charities reported ransomware attacks in 2020
Although the use of digital ways of working offers great advantages, you need to ensure that the benefits are balanced by having robust cyber security measures in place.
Whilst around 58 billion transactions a month are protected by the NHS’s internet perimeter security system, ‘NHS Secure Boundary’, individual practices should consider cyber insurance as vital for their own protection.
Healthcare a prime target
The number of ransomware attacks on healthcare organisations increased 94% from 2021 to 2022, according to a report from the cyber security firm Sophos. They show that the healthcare sector is the most likely sector to pay the ransom. 44% of healthcare organisations that suffered an attack in the last year took up to a week to recover from the most significant attack, and 25% of them took up to one month2 .
As reported in the 6th State of Email Security Report published by Mimecast, the cyber threat landscape across many countries, became more treacherous during 2021, not less.
2021 was the worst year on record for cyber security2
Phishing was the biggest culprit with 36% of data breaches due, at least in part, to employee credentials being stolen through a phishing attack, 96% of which occurred through email. Ransomware is also “running amok” according to the Mimecast report, costing organisations millions to rectify. 64% of the victims interviewed felt compelled to pay the ransom, yet 4 out of 10 of them failed to get their data back.
In addition, fund transfer fraud is increasing3, whereby fraudulent money transfers are requested for legitimate payments but made into faked bank accounts, when purchasing things like medical supplies or paying for building work on the practice, for example.
An Achilles Heel
Unfortunately, your employees are likely to be your biggest data breach risk. Research has shown that more that 90% of security breaches involve some degree of human error. It is important to give your employees appropriate training and keep it up-to-date.
Healthcare providers face a number of exposures, not least around patient privacy. Should you suffer from a cyberattack, you will need to take corrective action, which may include the requirement to implement breach notifications. In addition, you may need forensic specialists to support you in uncovering what happened and there may be regulatory fines such as GDPR and investigation costs to cover.
Cyber insurance gets you back on track
Don’t think it won’t happen to you. Small businesses are susceptible to attack, as they lack the cyber security systems of larger companies and especially as health data is valuable. Make sure your practice has the appropriate insurance cover to protect you in the event of a cyberattack. Cyber insurance can protect your business from the financial losses incurred in such scams and help to protect your reputation and your patients.
MIAB can offer cyber liability and data insurance which can provide support for incident response, business interruption, forensics, and privacy liabilities.
Cyber claims handling services. MIAB insurers offer a dedicated incident and cyber response helpline. These helplines are available 24/7 so you’re able to react to a cyberattack quickly and effectively.
Read our series of cyber security posts to become more cybercrime aware.
For more info and to get the protection you need contact us.
Or call us on 01438 730210
- Further information can be found at england.NHSEimplementation@nhs.net.
- Q3 First-half Data Breach Analysis – Identity theft resource centre