With the 2nd anniversary of the General Data Protection Regulation (GDPR) – Europe’s flagship regulatory data standard – having just passed, now is the perfect time to reflect on its full calendar year of operation in 2019. Ostensibly, it was a year of big fines and bruised egos as regulators ramped up enforcement, but beneath the surface there was a greater and, arguably more important, transformation.
Across the UK, businesses have been creating and embedding the responsible data protection practices which were first mandated on 25th May 2018, such as appointing a record number of Data Protection Officers. These efforts are now being accelerated due to the COVID-19 pandemic and the explosion in the amount of data being handled as work and life increasingly moves online. In the UK, nearly half (51%) of workers are working from home when they wouldn’t ordinarily.
GDPR has led to vast changes in attitudes on data security – with increasing awareness of the importance of protecting personal data at an organisational level and with individual consumers. For the first time ever, the general public is actively exercising their rights in cases of malpractice.
Coupled with the introduction of mandatory breach reporting, it is not surprising that the number of breaches reported to the UK regulator, the Information Commissioner’s Office (ICO), increased. Between 25 May 2018 to 1 May 2019, for example, there were 14,000 breaches reported, an increase of nearly 425% from 3,300 over a similar period between 2017/18. Encouragingly, in 82% of these cases no further action – for example, further audits, mandated improvement action plans, or civil financial penalties – was required. This suggests breaches are being proactively and systematically reported.
This is supported by the fact that, according to the UK’s Department for Digital, Culture, Media & Sport (DCMS), 80% of businesses say cybersecurity is a high priority for senior management and board directors. Simply put, it appears that organisations are taking their data protection obligations seriously.
To ensure organisations continue to remain well-informed and motivated, this report addendum reviewed the data available from UK regulatory bodies to highlight trends in consumer data breaches through 2019. Armed with this information and a robust Identity and Access Management system which facilitates and manages secure access to the connected world, organisations can be assured that their data is appropriately secured.
UK healthcare sector at risk, phishing attacks rampant
While the financial services and education sectors were common UK targets, our annual snapshot of data breaches – the Consumer Identity Breach Report – concluded that the healthcare sector was most at risk for data breaches in 2019, comprising over 50% of total breaches. According to the DCMS and ICO, phishing was the most common method of attack.
There has been a gold rush recently to unlock the value of health records – and clearly, as our report has found, that applies to both legitimate actors in the health-tech ecosystem and cybercriminals. It’s vital that patients can trust that their sensitive data is being shared securely and only accessed by authorised parties in the healthcare ecosystem. As the sector undergoes sweeping digital transformation, it must remain vigilant to the increased threat level.
The main reason for this is fairly simple – personal health information (PHI) is very valuable. Compared to personally identifiable information (PII), personal health information can be extremely lucrative for malicious actors, selling for six times more. The NHS alone has access to 55 million high-quality primary care and 23 million specialist care records, with an annual value estimated at £9.6bn by Ernst & Young.
It’s information about your body, your DNA, where you live, your date of birth, hospital treatments, prescriptions, and patient numbers. Second, people often don’t even notice health record theft for years. And third, when they do, it’s all but impossible to change those details.
In terms of securing information, healthcare presents unique challenges due to the extent of sensitive data being shared in the complex and multi-partner clinical process. Medical facilities are often public, meaning devices are susceptible to physical tampering. And third-party risk arises from the long chain of medical partners, including labs, specialists and doctors’ surgeries. Each represents a vector for malicious attack.
However, more common than a technical entry point is the risk of humans being exploited (or themselves exploiting systems from the inside). Most commonly, cybercriminals use targeted phishing attacks on professionals in the healthcare sector to gain access to legitimate credentials or to plant malware. Last year, the NHS said that its systems blocked nearly 12,000 phishing attacks a day.
How can you protect your business from emboldened cybercriminals?
Nearly 46% of UK businesses experienced a data breach in 2019 – and as our wider report demonstrates, the frequency and sophistication is only increasing year to year. The debate about the value of data breach defences is over.
All UK organisations must, at a minimum, implement baseline measures. This can include anything from hiring security and compliance teams, to frequent software patching to eliminate vulnerabilities, or adopting a zero-trust approach to all activity to ensure every user is verified and they are who they say they are – the ever-present threat of phishing makes this all the more important. Additionally, organisations must consider modern, intelligent authentication methods that move beyond simple username and password and provide real-time, contextual and signals based controls to protect and secure access to confidential data.
The COVID-19 pandemic has not deterred cybercriminals – if anything, our analysis suggests that healthcare organisations face a greater threat now than at any other point in the previous 12 months.
The ICO also has a role to play in data breach prevention. While the organisation has used education and enforcement to reduce data breaches over the last year, there is still a lack of granular data available to the public and industry to help them research and understand this problem. The ICO only released the last set of quarterly data for 2019 data breaches at the end of May. In future, this data must be made freely and widely available in a more timely manner.
By Nick Caley, Vice President, United Kingdom & Ireland, ForgeRock.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.