In the first of our new monthly cybersecurity news round-ups, we report on limited confidence in medical device security, fines for data protection breaches, and the news that healthcare is responsible for most data protection incidents in the UK.
Healthcare responsible for 43% of UK data breaches
Healthcare has the highest volume of data breaches in the UK, a study of figures from the Information Commissioner’s Office has shown.
Data security firm Egress reviewed all incidents from January 2013 to December 2016, and found 2,447 took place in healthcare. That represented 43% of the total, way ahead of the sector with the second highest number of breaches – local government, whose 642 incidents accounted for an 11% share of the total.
The study also found the number of incidents in healthcare had risen year on year, with a 20% incraese from the last quarter of 2014 to the last quarter of 2016.
Human error was the main cause of most of the healthcare incidents that took place between October and December 2016.
“Following the WannaCry exploit, the vulnerability of the healthcare industry, and the critical importance of improving its cybersecurity, has come into sharp focus,” said Tony Pepper, chief executive and co-founder of Egress Software Technologies.
“While it’s clear there is a security problem in healthcare, these figures show that it is as much about internal activity as external threat.”
Limited US confidence in medical device security
Almost 70% of US medical device manufacturers believe an attack on the product they build is likely to occur in the next 12 months, according to the results of a new study.
Conducted by IT security research organisation the Ponemon Institute, and published by technology firm Synopses, the report found 56% of US healthcare delivery organisations shared the belief in a likely imminent attack.
While around a third of the 500 people surveyed for the report said they were aware of possible risk to patients from an insecure medical device, only 17% of manufacturers and 15% of healthcare operators said they were taking significant steps to prevent such attacks.
“The security of medical devices is truly a life-or-death issue for both device manufacturers and healthcare delivery organisations,” commented Dr Larry Ponemon, chairman and founder of the Ponemon Institute.
“According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”
UK fines for data protection breaches double
Breaches of UK data protection laws during 2016 attracted fines totalling £3,245,500 – almost double the figure for the previous year.
A study of Information Commissioner’s Office data by consultancy firm PwC also showed a large increase in enforcement notices, issued when organisations are required to take steps to ensure compliance after a data breach. Just nine such notices were issued in 2015, but the number climbed to 23 in 106, a 155% increase.
Stewart Room, PwC’s global cyber security and data protection legal services leader, warned such figures may grow further with the impending introduction of the European Union General Data Protection Regulation (GDPR).
“The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” he argued.
US EPR firm fined $155m for providing misleading information on data protection
An EPR provider will have to pay the US government $155m to settle allegations it misrepresented the data protection capabilities of its software.
eClinical Works, which entered the UK market in 2015 through a large deal with Specsavers, is said to have used ‘cheatware’ to persuade the US Department of Health and Human Services that its product should be certified for use.
In a letter to the firm’s customers, eClinicalWorks’ chief executive Girish Navani said the company would also be bolstering its data protection compliance programme.