Cyber security news round-up

This month’s round-up includes a cyber-attack on US healthcare provider Atrium Health and a report from the ICO that details how a GP surgery secretary was fired and fined for reading a colleagues’ medical records.

Atrium Health cyber-attack hits 2.65m patients

The records of some 2.65m US patients have been exposed following a data breach at Atrium Health.

Patient data was compromised after hackers launched an attack on AccuDoc, the US healthcare firm’s billing vendor, in September.

This included personal information provided by patients when paying for health services, Atrium Health said in an announcement.

While patient data was exposed, no patient data is believed to have been stolen by the hackers.

Atrium said that AccuDoc “immediately terminated the unauthorised access” after being made aware of the breach, thought to have taken place between 22 and 29 September.

It added that the billing provider also “took steps to secure its affected databases and enhance its security controls.”

Cultural shift needed to keep trust in patient data use by health technology

A “radical cultural shift” is needed to keep trust in patient data use by health technology, a report from Academy of Medical Sciences has concluded.

The report proposes 12 principles that should be adopted by the NHS, medical technology developers and regulators, to help patients benefit from digital information while safeguarding their data.

The principles, compiled by a ‘steering group’ comprised of 12 health, science, tech and legal experts, are founded on five core themes, including respecting and protecting the privacy, rights and choices of patients and the public, and “maintaining trustworthiness in the responsible and effective stewardship of patient data within the NHS.”

Professor Lionel Tarassenko, head of the department of engineering science at the University of Oxford, said: “Technology will only evolve and get more sophisticated to have a bigger impact on healthcare in the NHS in the next ten years.

“If we are going to reap the benefits of these advances, we must act now. We need to see a widespread increase in digital health literacy throughout the NHS, with the full involvement of patients and the public.

“We also need to think carefully how we regulate and evaluate digital health products, especially when they include artificial intelligence, so that healthcare professionals and patients know that they are safe and reliable and improve patient outcomes.”

Healthcare providers worse than hackers at exposing patient data

Healthcare providers are worse than hackers when it comes to exposing personal health information, new research has found.

A study from Michigan State University and Johns Hopkins University discovered that providers of health and medical services where responsible for more than half of data breaches over a seven-year period.

The research was based on findings from nearly 1,800 “large-scale” incidents at US hospitals between October 2009 and December 2017 that affected more than 164 million patients.

The researchers found that 53 percent of all breaches were the result of internal issues and not external players.

The findings have been published in JAMA Internal Medicine.

Xuefeng Jiang, author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business, said in an MSU blog post: “There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence.

“One quarter of all the cases were caused by unauthorised access or disclosure – more than twice the amount that were caused by external hackers.

“Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk.”

Nosy secretary gets £350 slap on wrist for peeking at patient records

A former trainee secretary at a GP surgery has been fined £350 after nosing around in the records of 231 patients over a two-year period.

Hannah Pepper was employed at the Fakenham Medical Practice in Norfolk in August 2015 and her duties included lawfully accessing medical records to assist doctors, solicitors and insurance companies.

However, despite being trained in the legal and ethical requirements for patient confidentiality, the practice discovered in October 2017 that she also had illegally accessed 231 patient records – including those of colleagues and their families, her relatives, friends and acquaintances – with no valid reason.

Ms Pepper was fined £350 and was also ordered to pay costs of £643.75 and a victim surcharge of £35.

Mike Shaw, the ICO’s criminal investigation group manager, said: “People whose job allows them access to confidential and often sensitive information have been placed in a position of trust, and with that trust comes added responsibility.

“Data protection law exists for a reason and curiosity or boredom is no excuse for failing to respect people’s legal right to privacy. Just because you can do something, that doesn’t mean you should.”