More health data, more risk

Every aspect of the modern healthcare industry is fuelled by data and much of it is personal data. From clinical trials to patient assessment and trend spotting, the collection of good quality data is crucial to delivering better health outcomes. The more data on any individual test subject or patient, the more variables that can be controlled for and the safer drugs, treatments and interventions can be.

With the availability of cheap and reliable patient monitoring equipment, medical professionals can gather ever greater and more accurate information about individual patients and test subjects. With greater connectedness and access to cloud-based data storage and processing systems, healthcare organisations can analyse more information on more individuals than ever before. Across the healthcare sector, decisions have never been better informed. But alongside the opportunities presented by data, serious vulnerabilities are increasingly visible.

Health data is, of course subject to special protections. In the EU and UK, the GDPR and UK GDPR respectively give it “special category” status.  This means that aside from the need to demonstrate a legal basis for processing such data (as is the case for all personal data), data controllers need to have identified a special condition to permit the processing. In the US the HIPPA regime places specific obligations on the handling of medical data which cover similar but not identical ground to those of the (UK) GDPR.

We are seeing more and more countries creating their own frameworks for regulating the processing of personal data, many of which afford special protections to healthcare data. Although most of these privacy regimes are broadly aligned in general terms, the specific expectations around technical and legal measures that data controllers are required to take are bound to differ. This means that the benefits of large international datasets and global healthcare provision are, to some degree, offset by the challenge of meeting the regulatory requirements across multiple jurisdictions.

Points of vulnerability – third parties, human error and state actors

Probably the greatest cause of data loss and compromise remains human error. Failure to follow protocols and the taking of shortcuts can leave personal data exposed or lead to a loss of access. It is important to remember that even if a third party does not access or exfiltrate personal data, if the data controller (or their processor) loses access to it the consequences can be disastrous. A loss of access to patient records, for example, could have a huge impact on patient safety and wellbeing.

In many cases the route of attack will be malware, software designed to cause damage or gain access to a computer, server, client, or network including viruses, worms, trojans, spyware, and rootkits. Ransomware is an increasingly common form of malware which infiltrates systems, locking down files and networks through encryption, and locking out authorised users until a ransom is paid, usually in Bitcoin or another cryptocurrency. A healthcare company that loses access to patient data may feel that it has no choice but to pay up.

Malware is not the only risk though and healthcare organisations need to be aware of the rise of Distributed Denial of Service (DDoS) attacks in the sector. These often (though not always) use malware, to attack a server, service or network and overwhelm the target or its surrounding infrastructure with a flood of internet traffic, meaning that legitimate users are denied access. These sorts of attacks can resemble ordinary spikes in traffic and so can be difficult to spot and address early on.

Given the value of health data, which often includes valuable intellectual property as well as personal data, the most challenging threat in the pharmaceutical space arises from state-sponsored (or supported) hackers seeking to circumvent intellectual property rights to gain access to valuable test and trial data. The COVID-19 pandemic greatly exacerbated this threat and in 2020, it was widely reported in the UK, US and Canada that State-sponsored hackers from China, Russia, Iran and North Korea were attempting to breach security controls to gain access to vaccine development data.

With the growth of quantum computing, even the strictest security measures used to protect the most sensitive and valuable data may soon cease to be effective. Advanced encryption methods may soon be compromised by threat actors with sufficient computing power, so the race is on to develop even more robust techniques to avoid, or at least delay this looming threat (see our article on quantum computing and the future of encryption).

Many smaller healthcare sector companies may feel that the threats posed by state-sponsored hackers and malware/DDoS attacks are unlikely to affect them, but cybersecurity provisions are essential for healthcare related businesses of all sizes. Small and medium sized businesses may be at greater risk of ransomware attacks because the threat actors may have assumed a lower investment in security infrastructure.  This means even a temporary lack of access to data may be harder for a growing organisation to withstand. Many hackers will attack multiple small organisations in the hope of extorting easy money, rather than targeting large organisations with access to the best security and countermeasures.

It is essential to remember that the loss or compromise of even a small volume of health data can have devastating effects on the individuals whose data is affected. If the harm is great enough, or if the cause of a breach indicates a systematic failure capable of repetition, a regulatory authority may still impose a significant penalty for a one-off incident or one impacting only one person, and the affected individual/s may have strong grounds to bring a civil claim.

Proxy data

A mistake made by many healthcare companies is to apply strict controls to patient or test subject health records but to overlook the risk of proxy data. Proxy data is information which, while not technically special category data, could lead to inferences about a data subject that effectively amount to the same thing.

The risk posed by proxy data will depend on the circumstances.  For example, if a small pharmacy has a general mailing list and sends out a general marketing email to everyone on that list accidentally Cc-ing all recipients, there will be a data breach, but the fact that individuals were on the mailing list is unlikely to amount to special category data. However, if a sexual health clinic makes the same error the outcome is much more serious. The email recipients might not have been on the mailing list because they had received treatment at the clinic, but anyone accessing the list might assume that they had, so the risk to individuals on the list is much greater.

The use of contact details for marketing (whether advertising medical treatment, clinical trials or elective procedures) poses a high risk and this sort of processing must always be subject to risk assessment procedures such as a Data Privacy Impact Assessment (DPIA).

Moving and securing healthcare data

Some jurisdictions closely restrict international transfers of personal data.  While the UK and EU regimes do not distinguish between special category and other personal data in this regard, the level of risk in transferring data to jurisdictions that are not considered safe (including the US), is increased when data falls into a special category because the potential harm to individuals is so much greater.

Following multiple rounds of litigation across Europe, sending data (including health data) to countries outside of the UK/EEA, which do not have an adequacy finding from the European Commission, is becoming ever harder to manage legally, even though cloud-based storage of data means that transfers have never been technically easier.

Of course the best solution is to avoid sending personal data at all by anonymising the information prior to use. In some circumstances this may be possible, however, in many cases identifiers are necessary for the processing purpose and cannot be removed. In such cases it may be possible to pseudonymise data (removing some but not all identifiers) and reduce the risk in processing it, but the information remains personal data and must always be treated as such.

Once a legal data transfer mechanism has been identified where required (see here for more), both the sender and recipient of health data will have to ensure they are meeting the technical and organisational security measures necessary to keep the data secure at rest and in transit. Some of these measures will be highly technical eg specified encryption and hashing levels; some will be technical but standard eg password strength and access controls; and some will be more practical eg training requirements and frequency, physical restrictions on server sites and data access points.

Security in times of change and emergency

For any organisation handling health data there is a growing tension between the possibiities offered by technology and the risks associated with allowing personal data to become vulnerable to human error or human malevolence.

The growing use of digital diagnostic tools and connected devices (as we discuss here) means that more and more data is being collected directly from patients, introducing a new point of vulnerability. Health professionals are increasingly able to offer diagnostic services and even treatment remotely, but this often means that they are delivering care via devices designed for ease of use over security.

The response to this challenge is often the creation of strong but complex security systems. Caution is needed here too because we know that a significant cause of human error is individuals circumventing poorly designed or burdensome security requirements. This is especially the case in times of emergency, as we've seen during the COVID-19 pandemic when many organisations that were not used to processing health data found themselves needing or required to do so. Privacy professionals the world over found themselves having to reiterate that protections for health data did not lessen as a result of the pandemic.

While it is tempting to treat failures to protect data or employee attempts to circumvent security measures as a disciplinary matter, outcomes will be better if training is effective and regular, and if security measures are clear and easy to adhere to. Compliance should be the path of least resistance; designing the processes around access to health data with the user of the system or device in mind will do as much to ensure the security of that data as any level of encryption can offer. This requires investment but also intuition. Organisations handling health data need to take stock of their vulnerabilities and make evidence-based decisions, clearly documented, on how best to invest resource to ensure the security of their data and the trust of data subjects.