In his final 2020 column, Davey Winder explores the reliability of emails and why good security hygiene has never been more important.

I’m a journalist, which means I get sent press releases all the time. Some come with personal greetings and notes just for me, others are sent wholesale to a list of potentially interested parties using the ‘Blind Carbon Copy’ email function.

Sometimes, mistakes are made and, instead of all recipients being hidden behind that singular BCC address, the email is CC’d instead which reveals the email addresses of everyone. From both privacy and security perspectives this is obviously not good. Of course, I already know most of the journalists and, because of our profession, email addresses are not exactly kept secret nor is the email content highly confidential. In other settings, like healthcare, things can be very different.

Powerful yet insecure

I mention this because email remains one of the most powerful communication tools we have, and at the same time very much one of the most insecure. Human error can wreak havoc on the best laid privacy intentions, as NHS Highland discovered when it recently managed to send the personal data of both patients and staff to people who had no right to be seeing it.

It has been reported that the data of 284 diabetes patients was shared with a total of 31 people. It would appear that no medical history was included in the spreadsheet attachment that was shared, and you might think such a relatively small number of recipients make this no big deal. But from small acorns do big oaks grow, as my late father used to remind me.

It was a lesson well taught, and the personal information shared here (dates of birth, hospital numbers, contact info) would be enough to create a plausible phishing threat. But that’s beside the point: this kind of human error process failure is far from uncommon, sad to say.

Statistics from the Information Commissioner’s Office (ICO) have revealed that of the 214 healthcare data incidents reported in the first quarter of 2020, 30% involved data being delivered to the wrong recipients or misuse of the BCC email function.

What these kinds of email privacy incidents reveal, and I appreciate this is a drum much-banged by myself, is the importance of an adequate security culture within organisations such as the NHS. I know, I know, easy for me to say while I sit in my home office and those working within the health service are struggling to cope with the pressures of a pandemic second wave.

Understanding responsibility

It’s also easy for me to understand how a culture of security awareness is hardly front and centre right now, I totally get that.

However, Javvad Malik, a security awareness advocate at KnowBe4, quite simply points out, “it’s an organisations responsibility to inform staff of the importance of cyber security and provide the tools, training, and processes needed to keep information secure”.

That responsibility does not go away when external pressures are exerted. This isn’t rocket science, it’s basic cybersecurity hygiene 101 stuff.

“No institution should be storing ultra-sensitive personal health information (PHI) or personally identifiable information (PII) in plain text in a spreadsheet,” says Martin Jartelius, CSO at Outpost24.

“While this event is being reported as a data breach, in reality it is nothing more than a critical clerical issue,” he adds.

A critical clerical issue that could have been much worse, and one that Paul Norris, a senior systems engineer at Tripwire, says “can never be completely eliminated.”

The opportunity for human error

Which makes it all the more imperative that processes are in place to mitigate the opportunity for human error.

“Having adequate security measures is a must for protecting data,” Norris says, continuing “ensuring that each individual within the workforce has only the access necessary to do their job can help reduce the risk of a data leak occurring in this manner”.

That might not have stopped this particular incident, but it’s sound security sense.

Multiple layers of security, access only to that data which is role essential and ongoing awareness training to ensure a security culture exists must all be in place, all the time. That remains a truism even when a pandemic brings unprecedented pressure to the healthcare industry table.