As we approach the end of 2019, our columnist, Davey Winder looks back at the last year and explores whether anything has changed with regards to cybersecurity in healthcare.

As we approach the end of not only another year, but another decade, there are still way too many outstanding “old” issues related to cybersecurity and privacy in the health sector for my liking. Some of these, I really would have expected to have become extinct by now; like the small problem of ad-tracking when it comes to online health services.

Earlier this month an investigation by the Financial Times, of all unlikely publications, uncovered the true extent to which some of the most popular health websites in the UK have been sharing sensitive medical data.

The reporters found that everything from symptoms and diagnoses, to prescribed drugs and even menstrual information were fair game for data-sharing. A total of 100 of the top health websites were analysed, and the report reckons 79% were installing cookies without the legal consent required in the UK.

Calling Dr Internet

Of course, Dr Internet hasn’t sworn any Hippocratic oath so doesn’t really care that patients can be tracked by, and their sensitive data shared with, advertising agencies and technology firms. The General Data Protection Regulation (GDPR) cares, and is meant to prevent health data being shared without explicit consent.

Unfortunately, the FT investigation would appear to suggest that the GDPR is failing to bite hard enough when it comes to health-related websites. The tech companies receiving the data issued statements denying any culpability.

Explanations ranged from “not wanting” websites to share such information with us, having “strict policies” that prevent such data from being used to target advertising, right through to it being the responsibility of the health websites to manage user consent and the data that gets sent on.

The health site responses varied from staying that they only collected or shared data “to the extent disclosed in our privacy policy” and insisting that advertising cookies are set so “no personal data about visitors” is “passed on to third parties” or “we don’t sell data and we don’t share sensitive personal data.”

Calling out advertisers

However, as the FT reported, the Information Commissioner’s Office (ICO) is already looking to the online advertising industry to clean up its act in this regard, and these new revelations are unlikely to have eased its concerns. The NHS, it would seem, has got this right and is “an exception in the universe of ad tracking” according to the FT.

David Emm, Principal Security Researcher at Kaspersky, reminds us that the reality is that “consumers have no control over what a company does with any data that they choose to share on a company’s site – in this context, searches they make for health information – or who they choose to share the data with”.

Unless the ICO start sharpening their teeth when it comes to GDPR implementation and interpretation, I can’t see that changing.

Protecting health data

It’s not just the advertisers you have to worry about either, cybercriminals would like to get hold of your health data as well.

According to security vendor Malwarebytes, healthcare is the seventh most targeted industry when it comes to cybercrime, and threat detections from healthcare organisations increased by 60% from 2018; and that’s just for the first three quarters of 2019 compared to the whole of 2018.

While that Malwarebytes statistic is going to be skewed by the nature of healthcare provision in the United States, it doesn’t make it any less relevant to the UK in my never humble opinion.

With certain malware variations being known to target healthcare with ransomware payloads quite late in the attack chain, the dual problems of under funding and legacy equipment come to the fore.

“We should be arming healthcare now with extensive security measures,” Adam Kujawa, Director of Malwarebytes Labs, says. “Because this pattern suggests that ransomware is looking to penetrate healthcare organisations from several different angles.”

Why is ransomware still in the scene?

Ransomware is one of the things that really gets my cybersecurity goat though. Or, more accurately, *why* is ransomware still a thing for healthcare as we fast approach 2020?

WannaCry was meant to be a wake-up call, and there can be no doubt that important lessons have been learned from the chaos of 2017. Putting those lessons into practice is a different matter, of course, and while the NHS is moving ever onwards and upwards there remain those legacy kit, zombie operating system and funding-at-the-coal-face issues I’ve covered month after month in these pages.

Seriously, when ransomware is shutting down hospitals in France and municipalities in the US, right now, there remains a need to take this “old threat” with more than just a pinch of analyst report salt.

Embedding cybersecurity into the culture of healthcare

My friend, and security awareness advocate at KnowBe4, Javvad Malik, sums the situation up better than I could: “Until we see cybersecurity being embedded into the culture of healthcare organisations in the same way that we try to combat the spread of germs with constant reminders and availability of anti-bacterial hand wash, we will continue to see breaches occur.”

I just hope against hope that I’m not writing this same column in 12-months time.