[BreachExchange] Why the UK needs to adopt US healthcare approaches to information security sharing

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 17 20:44:33 EDT 2017


An individual's credit card information may be worth a few pounds on the
black market, but healthcare data can fetch between 50 to 100 times that.
And while credit cards can be cancelled, healthcare information – which
contains sensitive information such as addresses, medical history,
emergency contact, and more – cannot.

Criminals could potentially use this data to sign up for new credit cards
or commit insurance fraud.

In March 2017, it emerged that access could be gained to the private
records of 26 million NHS patients.[1] This shows the vulnerability of
patient data at a network level.

At a device level the threat is also apparent. For example, in 2010,
Brighton and Sussex University Hospitals NHS Trust was fined £325,000[2] by
the Information Commissioner's Office (ICO). This was because more than 200
de-commissioned drives belonging to the Trust that should have been wiped
and destroyed in fact ended up on eBay.

Patient data is at risk when staff do not follow protocol and many NHS data
breaches could have been prevented.

The UK Government has made moves to ensure higher security[3] for NHS
departments and suppliers in the form of NHS Digital's Information
Governance (IG) guidelines.[4]

George Freeman MP writes; “As the health and social care system becomes
increasingly paperless and digital it also becomes ever more important that
there are adequate and robust protections in place to protect the data and
information held within it.”

While we welcome this increased emphasis on data protection, we also
believe that the UK Government should go one step further. Patient data
would be even more secure with increased stakeholder collaboration.

One way that other industries such as banking are getting ahead of
attackers is by sharing information. Not only do they invest in mitigating
equipment but they also share indicators of compromise (IOCs) and malicious
activity with industry peers in a trusted network.

Attackers share information among themselves and it is time that health
organisations did the same to strengthen defences. An industry-wide,
multiple stakeholder group that shares information, provides training and
best practice would be a critical tool in the fight against cyber-crime in
the UK health sector.

In the US there is already a culture of health bodies, service suppliers
and manufacturers working together to protect data.

For example, the Health Information Trust Alliance (HITRUST), launched in
2007, is a collaboration of healthcare, business, technology, information
privacy, risk and security leaders. HITRUST runs several programmes to
drive widespread confidence in the industry's safeguarding of health
information. This includes the Cyber Threat XChange (CTX).

Numerous healthcare and industry related bodies are involved and they share
IOCs within the CTX. This service streamlines cyber-threat information
sharing and accelerates significantly the detection of – and response to –
cyber-threats targeted at the healthcare industry.

Because the HITRUST CTX platform operates in real-time, the intelligence is
delivered in a timely manner and is immediately consumable by all
organisations. This allows for a proactive approach to detecting any
instances of a local threat.

There are more than 500 participating organisations, making it the most
widely subscribed threat exchange in US healthcare industry, and has
already been critical in the sharing of data in at least two major

The US health sector is supported throughout the supply chain by this
multi-vendor framework. It provides risk management tools, education and
leadership, which reduces the chances of American patient data ending up in
the wrong hands.

This system would work in the UK. Indeed, it is needed. NHS Digital's moves
to drive ever-higher standards of security[5] across the board should be
credited but, as the US model proves, a collaborative platform across
industry is required to share information, drive awareness and best
practice, and ensure compliance.

Criminals are getting ever smarter in their pursuit of patient data. Public
sector fraud is estimated to cost the UK public sector £37.5 billion per
year.[6] We as an industry need to be even more organised in the way we
protect patient data, and it starts with deeper security information
sharing between the NHS and its many technology suppliers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170517/21692cb4/attachment.html>

More information about the BreachExchange mailing list