As we approach the end of 2019, Davey Winder looks back over the year and explores whether anything has changed in relation to cybersecurity in healthcare
This is an edited version of an article first published by Digital Health
As we approach the end of another decade there are still way too many outstanding ‘old’ issues related to cybersecurity and privacy in the health sector for my liking. Some of these, I really would have expected to have become extinct by now, like the small problem of ad-tracking when it comes to online health services.
Earlier this month an investigation by the Financial Times uncovered the true extent to which some of the most popular health websites in the UK have been sharing sensitive medical data. The reporters found that everything from symptoms and diagnoses, to prescribed drugs and even menstrual information, were fair game for data-sharing. A total of 100 of the top health websites were analysed and the report reckons 79% were installing cookies without the legal consent required in the UK.
Calling Dr Internet
Of course, Dr Internet hasn’t sworn any Hippocratic oath, so doesn’t really care that patients can be tracked by, and their sensitive data shared with, advertising agencies and technology firms. The General Data Protection Regulation (GDPR) cares, and is meant to prevent health data being shared without explicit consent.
Unfortunately, GDPR is failing to bite hard enough when it comes to health-related websites; the tech companies receiving the data issued statements denying any culpability. Explanations ranged from ‘not wanting’ websites to share such information with us, having ‘strict policies’ that prevent such data from being used to target advertising, right through to it being the responsibility of the health websites to manage user consent and the data that gets sent on.
Calling out advertisers
However, as the FT reported, the Information Commissioner’s Office (ICO) is already looking to the online advertising industry to clean up its act, and these new revelations are unlikely to have eased its concerns. The NHS, it would seem, has got this right and is ‘an exception in the universe of ad-tracking’ according to the FT.
David Emm, Principal Security Researcher at Kaspersky, reminds us that the reality is that “Consumers have no control over what a company does with any data that they choose to share on a company’s site – in this context, searches they make for health information – or who they choose to share the data with.”
Unless the ICO start sharpening their teeth when it comes to GDPR implementation and interpretation, I can’t see this changing.
Protecting health data
It’s not just the advertisers you have to worry about either; cybercriminals would like to get hold of your health data as well.
According to security vendor Malwarebytes healthcare is the seventh most targeted industry when it comes to cybercrime, and threat detections from healthcare organisations increased by 60% from 2018 – and that’s just for the first three quarters of 2019 compared to the whole of 2018.
While this Malwarebytes statistic is going to be skewed by the nature of healthcare provision in the United States, in my opinion it doesn’t make it any less relevant to the UK. With certain malware variations being known to target healthcare with ransomware payloads quite late in the attack chain, the dual problems of under-funding and legacy equipment come to the fore.
“We should be arming healthcare now with extensive security measures,” says Adam Kujawa, director of Malwarebytes Labs. “Because this pattern suggests that ransomware is looking to penetrate healthcare organisations from several different angles.”