Healthcare professionals – are you protected against data breaches?

We’ve all heard of the term ‘patient confidentiality’, which means that when a patient or healthcare-service user shares confidential information it cannot be disclosed without their consent. There are caveats, such as when a patient lacks capacity to consent or if a doctor is ordered to release information by a judge[1]. But by and large, it’s accepted as a crucial part of the trust between healthcare giver and service user.

The use of digital systems and the importance of data in medical advancements have changed the landscape considerably in recent years, however. Doctors and other healthcare providers now have to understand the legal ramifications of protecting patient data and the protocols for using them in research. They also need to be aware of the growing risk of cybercrime-related data breaches that come with the territory, including alterations to records, theft or loss. And all while performing a complex and stressful role. No easy feat.

Combating breaches

Compliance with General Data Protection Regulation (GDPR) according to the Data Protection Act 2018 is essential. Breaches can lead to fines or regulatory interventions, and in the worst instances could damage practices and careers.

At Howden, we are seeing a significant hike in claims for personal injury as a result of data protection breaches – perhaps an unintended result of the legislation, and something that didn’t really happen before GDPR.

Mistakes are all too easy to make in stressful, high-pressure situations – a letter sent to the wrong address, a laptop left on a train, a spreadsheet shared with the wrong person – so doctors and healthcare providers need to protect themselves accordingly.

Incidents of cybercrime are also rising. Hospitals, surgeries, pharmacies, care centres and other healthcare organisations are prime targets for malicious cybercriminals. There are a few reasons for this. Healthcare organisations deal with huge amounts of personal data, which can be very valuable to criminal groups. Practices and healthcare centres often cannot afford to invest in the latest security technology, making them an easy target. Plus, the healthcare sector has been under immense pressure over the past couple of years thanks to the pandemic, and cybercriminals have cynically exploited Covid-19 and the vulnerabilities it has exposed.

According to the National Cyber Security Centre (NCSC), it tackled more than 2.7 million attempted online scams in the UK last year. This included removing more than 1,400 NHS-themed phishing campaigns, an 11-fold increase on 2020, including fake messages about vaccine rollouts and certificates[2].

Data security incident trends published by the Information Commissioner’s Office (ICO)[3] show that between April 2021 and June 2021 alone there were 607 data security incidents in the health sector, up from 420 the previous quarter.

Protective measures

There are safeguarding measures that all practitioners can take to protect patient data and prevent GDPR breaches.

For example, collect and store only the minimum amount of personal data necessary for patient care and treatment, and obtain explicit and informed consent from patients before processing their personal data, clearly explaining the purpose and scope of the collection and the intended usage.

Ensuring patient data is stored securely is an essential step, too – implement strong access controls, encryption and regular backups, and make sure data is only accessible to authorised personnel. It’s also a good idea to train all healthcare staff regularly in GDPR requirements.

But perhaps most crucially healthcare professionals should consider a comprehensive plan for responding to data breaches. What steps can be taken to mitigate the breach? How will affected individuals and data-protection authorities be notified? Do you have to let the ICO or NHS know? How fast can data integrity be restored? What happens if patients bring litigation proceedings?

Part of that shoring-up process should include securing a standalone cyber-insurance policy to cover potential data-protection claims. At Howden, we’re finding that increasing numbers of doctors and other service providers realise only too late that their existing liability insurance doesn’t stretch to certain kinds of cybercrime-related data breaches.

Complementary cover

It’s also worth having a think about the current set-up at a practice or centre, including relationships with IT providers or any NHS provisions and protocols, if appropriate[4]. A cyber-insurance expert will be able to suggest the right level of cover to complement existing strategies.  

To combat cybercriminals today, healthcare organisations must improve their resilience and capability to defend against increasingly sophisticated attacks – and part of that is ensuring the right cyber-insurance cover is in place.

Unfortunately, hardworking healthcare professionals now have to evolve as fast as the cybercriminals. The digitisation of our healthcare services continues apace and every device, connection and digital data point is a potential window of attack. It’s important for healthcare professionals and organisations to consult with legal and cybersecurity experts to ensure compliance with GDPR regulations and to address any specific risks or challenges they may face in their particular contexts.

If you’d like to discuss your options with a leading cybersecurity-insurance professional, please get in touch by calling 0117 205 1855 or emailing [email protected].