Richard Hough advises on the best digital defence when it comes to patient data protection
The cyber attack on the NHS computer system earlier this year, in which hackers spread ransomware called WannaCry, created havoc for healthcare professionals and patients alike. Hospitals and GP surgeries were among numerous health service organisations hit by the ransomware attack. It also affected an estimated 200,000 computer systems of other organisations in 150 countries around the world.
Those hospitals and doctors’ surgeries whose computer systems were affected were forced to turn patients away, putting yet further strain on pharmacy resources. The ransomware, which scrambled data on computers and locked out users, demanded payments of between $300 to $600 in order to restore access. It was only due to the actions of Marcus Hutchins, a 22-yearold self-taught programmer from Devon, that the ransomware attack was prevented from creating further havoc by triggering a “kill switch”.
So what is ransomware and what is its relevance to an increasingly digitally-reliant pharmacy profession? Ransomware is a type of computer virus (often called malware) that is frequently delivered via emails, which trick the recipient into opening attachments and releasing the malware onto their computer system in a technique known as phishing. Once the recipient’s computer has been infected, it locks up the files and encrypts them in a way that prevents access to them. It then demands payment in order to regain access. Because malware is spread by faceless criminals, there is no guarantee that, even after payment, access to your files will be restored.
So how did WannaCry wreak its havoc? It did so by exploiting a vulnerability in the operating system Microsoft Windows for which Microsoft released a patch to fix the vulnerability in March. However, not every computer user is diligent in installing regular updates and patches on their computers when prompted to do so, which means that the system can remain needlessly vulnerable to a potential malware attack. Such complacency plays right into the hands of hackers, allowing them access to the computer system to spread their chaos.
It is possible to remove malware from a computer with advanced anti-virus software or by putting the computer into safe mode and manually removing the infected files. However, as anyone who has previously suffered a catastrophic computer meltdown at the hands of a virus or other malware will testify, with computers, as in healthcare, prevention is often better than cure.
Cyber security measures
In light of this recent malware attack, it may be worth revisiting a report published earlier this year by the Information Commissioner’s Office (ICO), which among other things oversees the protection of personal data and the promotion of cyber security. This report related to its findings from its work relating to community pharmacies. It sought to promote good data protection practices and guidance for the community pharmacy sector.
The report noted encouragingly that, while there was a wide variation across individual pharmacy organisations, “generally staff and organisations have a good awareness of the requirement to keep personal data safe and confidential and are motivated to do so”.
The study sets out the areas where community pharmacies are doing well, as well as highlighting the common problems and areas for improvement, and includes further guidance and advice to help community pharmacies improve their information governance and data protection practices.
With the expansion of services being offered within community pharmacy, and the recognition that pharmacies and their staff process a “significant amount of highly sensitive personal data”, getting data protection practices right is of paramount importance. Failure to do so can lead to serious consequences, ranging from an ICO investigation and heavy fines to reputational damage and serious loss of business.
One of the main observations was that it was “rare for an organisation to be consistently successful” in all the areas of data processing. Ongoing training was identified as one of the hardest to achieve successfully in smaller businesses where resources may be more limited, but was highlighted as a key area of focus to ensure staff maintain good cyber security and data protection practice.
The report made a number of recommendations for improvement, which if implemented will ensure good data protection practice within pharmacy businesses and minimise the risk of them suffering a cyber attack: • Ensure that all computers that process sensitive personal data, and are connected to a network, are upgraded to a supported operating system.
• Ensure no networked computers are unprotected from cyber attacks or malware.
• Implement a mechanism for “safe haven” procedures to maximise the secure use of fax machines where there are no other alternatives and their use remains necessary.
• Rollout the use of individual user logons for all systems that contain patient identifiable data to enable a full audit trail of view and change events to a patient’s record.
• NHS Smart Cards should only be used by the registered holder.
• Policies and procedures need to be in place to:
o control the removal of personal data from the pharmacy
o monitor staff for compliance with standards
o identify which records are to be retained and destroyed securely o ensure compliance with marketing consent legislation and the relevant record keeping required.
Richard Hough is partner, pharmacists, and head of healthcare at Brabners LLP. Contact him on 0151 600 3302 or email firstname.lastname@example.org