A recent review by the National Cyber Security Centre (NCSC), part of GCHQ (Government Communications Headquarters) has revealed an increase in the number of incidents handled by the NCSC compared to the three preceding years, particularly in the healthcare sector. Perhaps more alarmingly, earlier in 2020 the NCSC reported that Russian hackers – believed to be part of Russian intelligence services – were targeting healthcare companies involved in the development of a coronavirus vaccine. At the same time, the COVID-19 pandemic has seen a marked increase in cyber-attacks, as criminals exploit security vulnerabilities exacerbated by remote working. Hackers have also taken advantage of the pandemic as a ready cover story for phishing attacks, for instance, by sending emails purportedly concerning coronavirus, but which in fact contain malware.
Healthcare businesses should recognise the increased risk of cyber-attacks as a result of the pandemic generally, and that attacks may be particularly problematic for this sector. Companies that are established in the European Union (EU) are subject to the General Data Protection Regulation (GDPR). It also applies to healthcare businesses that are established outside the Union, but which offer their products and services to citizens in the EU. The GDPR imposes a set of standards on organisations that handle 'personal data', that is, information by which a living individual may be identified. However, 'special categories of personal data', which includes information about individuals' health, are treated as a special case and subject to more stringent requirements still.
The GDPR is enforced by data protection authorities such as the Information Commissioner's Office (ICO) in the UK. It grants data protection authorities a broad range of powers including the ability to investigate breaches of the law and to levy substantial fines. The ICO expects a higher standard of care from businesses that handle special categories of personal data. Those that fail to meet the requirements face a greater risk of enforcement action. Healthcare providers typically hold a substantial volume of personal data relating to the health of patients and clinical trial participants. Accordingly, they generally present a higher risk profile than businesses in other sectors.
In addition to the risk of enforcement action from the ICO, businesses that operate in the healthcare sector potentially risk group litigation (or 'class action') claims from affected data subjects if they fail to keep personal data secure. Developments in English common law, particularly over the last five years, have given rise to the emergence of a new tort (or 'civil wrong') described as the misuse of private information. This enables individuals to claim compensation for damage or pure distress (i.e. where there is no financial loss) where their personal data has been misused.
An example is the British Airways (BA) cyber-attack in September 2018, which resulted in the personal data of over 400,000 customers being compromised by hackers. In its investigation, the ICO found that BA had failed to implement sufficient security measures to protect its customers' personal data. The ICO announced its intention to fine BA £183 million, which it subsequently reduced to £20 million in light of the airline's dire financial position as a result of COVID-19. However, BA's woes did not end there. Since the breach, numerous websites have sprung up, operated by firms offering to pursue compensation claims on behalf of affected BA customers, on a 'no win no fee' basis. Some of the sites suggested that affected individuals could claim between £2,000 - £5,000. Clearly, if a significant number of affected individuals made such a claim, the total sum could be enormous.
Data breach compensation claims are not limited to the BA incident alone. An internet search for 'data breach claim' reveals an emerging industry of firms clamouring to assist affected customers claim compensation from companies that have been hacked. The incidents giving rise to potential claims include well-publicised attacks such as EasyJet, Ticketmaster and Dixons, as well as lesser known breaches involving operators in the healthcare sector. Risk managers must recognise that this is more than a theoretical risk; it is already happening.
Practical steps to help prevent an attack
Businesses that fail to adequately protect personal data risk enforcement action by the ICO and group litigation claims for compensation from affected individuals. The likelihood of an attack has increased as a result of the pandemic and the sector-specific risks mean that the consequences of an attack on a healthcare business are likely to be more serious.
In light of the risk, how can healthcare professionals and business leaders in the healthcare sector protect themselves?
First and foremost, business leaders should revisit the steps they have taken to comply with data protection law. Many will have carried out a 'GDPR readiness' project in preparation for the new law taking effect in May 2018. Now would be timely to revisit the compliance measures that were implemented to check that they are working properly and to address any gaps that may become apparent. For instance, multinational businesses that share personal data between Europe and the US are likely to have been affected by the European Court of Justice's (CJEU) landmark decision in July. The CJEU struck down the Privacy Shield, a widely used mechanism that enabled the transfer of personal data from Europe to the US.
Companies should also consider their data breach log, which is mandated by the GDPR and records personal data breaches, including those that were deemed not to warrant notification to the ICO. Counterintuitively, a data breach log that includes a large number of 'near misses' reflects a healthy degree of data protection awareness, since it shows that potential data breaches are being recognised and escalated. Conversely, a data breach log with no entries (or absent altogether) suggests the opposite.
The GDPR requires that businesses maintain a 'Record of Processing Activities' (or ROPA), which records the personal data they handle. For those whose ROPA has not seen the light of day since it was created in May 2018, a revisit would be timely. Clearly an organisation that cannot accurately identify the personal data that it holds will struggle to protect it.
A key requirement of the GDPR is that organisations must implement appropriate technical and organisational security measures to protect the personal data they hold. Security measures must be proportionate to the risk, so healthcare businesses that hold a large volume of health data will be expected to conform to a higher standard. It is essential that organisations which handle sensitive information carry out regular security reviews, including penetration testing. The security review should be carried out by a reputable third-party; remedial steps that come to light should be implemented promptly. IT security teams should be aware that the security breaches that result in large fines often stem from simple failings that could have been easily remedied.
As part of their data protection and cyber security defences, healthcare businesses should have an effective incident response plan in place. This should set out how the company will respond if the worst does happen and it suffers an attack. The plan should designate a response team to manage incidents, which should include internal staff such as the data protection officer, IT security and legal teams. The response team should also include external advisers such as lawyers and forensic IT specialists and PR consultants to deal with internal and external messaging. It is an unfortunate fact that in the current climate, many healthcare businesses' security measures and incident response plans will see active service.
James Castro-Edwards is head of ProDPO, an outsourced data protection service at law firm Wedlake Bell