Digital patient journey and cyber attack risks

In October 2018, the Secretary of State for Health and Social Care, Matt Hancock, outlined his vision for the future of healthcare through a digital patient journey, in order to provide better patient care, improve efficiency and reduce operational costs. The plans encompass a digital process for the patient from pre-diagnosis to discharge.

The shift towards digital and the value of the data that is being stored and shared, does however, bring increased risk of cyber attacks.

Multiple areas of risk

Health records remain a valuable currency on the black market. Records are used for fraud in a number of different guises and organisations are exposed to financial loss as a result.

Within the healthcare sector, there is potential exposure across the whole digital patient journey. Patients are becoming increasingly connected, via wearable devices for diagnosis and monitoring, through to predictive analytics to confirm the likelihood of illnesses recurring. Examples include

  • Pre-diagnosis – online GP video consultancies via video apps
  • Diagnosis – clinical imaging & diagnostics via artificial intelligence
  • Treatment – smart surgical devices
  • Monitoring – cloud based patient health monitoring platforms such as glucose sensors in smart contact lenses and ingestible sensors in tablets
  • Remission – predictive models for illness reoccurring in patients.

The healthcare sector also continues to suffer from phishing emails and ransomware attacks, which attract media attention.

After effects of ransomware attacks remain a key concern

A number of organisations do not have sufficient back up to their patient data, which presents two major issues in the event of cyber difficulties.

  1. Immediate impact on delivery of healthcare services.
  2. Subsequent impact due to data scrambled by ransomware, may not be fully returned to its previous form once the ransom is paid. This may be due to flaws in the internal operating systems or the hackers’ technical failures.

Cyber security and managing the risks

The risks posed to cyber security have been on the government’s agenda for some time, with legislative steps having been taken to help tackle this increasing threat, particularly to the NHS. Created by statute (under the Health and Social Care Act 2012), NHS Digital (previously known as the Health and Social Care Information Centre) is a public body set up in 2013, with its responsibilities including “giving advice and support to health and care organisations on information and cyber security.

NHS Digital recognises that “cyber threats are constantly evolving and always present, and increasingly digital health and care organisations must remain prepared and ready to respond”. It is an organisation that, importantly, provides best practice guidance and training, as well as providing information on how to “prepare for and respond to data and cyber security incidents.

Impacting significantly on the NHS (as well as business and organisations around the world), the global cyber attack known as WannaCry in May 2017, demonstrated how serious the consequences of cyber attacks can be.

In June 2018, NHS Digital announced that it had “entered into a three-year strategic partnership with IBM to provide a range of new and improved services to health and care organisations” to “enhance data security and cyber security response and provide additional defence against increasingly complex, evolving threats.

Healthcare providers need to make sure that patient data is protected through the provision of training for all staff (rolling out of mediums of education for entire health faculties), as well as ensuring that relevant systems and safeguards are in place. They will also need to ensure that adequate levels of crisis response are in place to respond to an attack.

Human error of course still remains a key contributor to cyber attacks on the industry, but if these security risks are managed then the risk is reduced and there is greater opportunity to dedicate more time to the benefits of digital.

It is clear that the risks of cyber attacks are ever-changing and constant monitoring and improvement of cyber security is crucial. The risks are not isolated to data security and financial loss, but extend further. The development and increasing use of technology to support diagnosis and treatment within healthcare provides great benefits, but also brings the risk of a cyber attack/hack, that could potentially have direct impact on patients.

Read other items in Healthcare Brief - June 2019