In Australia, the healthcare sector experienced an 84% increase in reported cyber incidents between 2019 and 2020, with 85 data breaches recorded in the first half of 2021 alone. The Australian Digital Health Agency (Digitalhealth.gov.au) recognises that the health sector is a prime target for cyber attack and has seen increased threads activity and compromised systems being reported.
In the UK the National Cyber Security Centre recently calculated that Health and Social Care is the fifth biggest sector attacked by cyber-criminals in the UK. Recent instances, such as the cyber attack on the University of Manchester which led to over one million NHS patients’ data being compromised, further prove the case for enhanced security measures.
Such attacks on businesses cause enormous disruption. But, in the case of care businesses, the consequences can be life-threatening. The inability of a carer to access a service user’s data can have a huge impact on missed medication or missed care provision – it can rapidly escalate to a safeguarding situation. Particularly in the case of direct care information, where data privacy and security are so crucial, cyber attacks will likely always remain a risk.
It is essential that as healthcare and health tech software providers we continuously monitor, update, and improve our technology to ensure that a breach does not occur.
What security measures must be taken?
There are several measures home care agencies can take to help combat being victims of cyber attacks and there are various security standards providers can adopt to provide reassurance that they are operating securely.
At CareLineLive, along with multiple internationally recognised security standards, we adhere to the NHS Data Security and Protection Toolkit, a self-assessment programme largely based on the ISO27001 standards and has special affordances for healthcare.
The Australian Digital Health Agency (Digitalhealth.gov.au) provides support and cyber security training to health and social care providers.
Sadly, many may dismiss these as only applying to technology companies. The truth is that cyber security incidents can occur at any step in the process, whether it’s a virus spread via email, sending sensitive information to the wrong individual, or someone managing to get physical access to your computer.
As general advice, good cyber security practices stem from a defensive way of thinking, posing questions such as: “Can this email be trusted?”; “Could my password be easily guessed if someone knows me?”; “Who else could use my computer?”.
Protecting client data
When it comes to ensuring that customers’ data is secure, CareLineLive has numerous measures in place.
CareLineLive encourages good security practices through the platform itself, such as data encryption both in transit and at-rest, multi-factor authentication, and a comprehensive role-based access control system to provide additional restrictions to the viewing and modification of data by authorised users.
We take on the responsibility of securing the platform for our customers, so they don’t have to worry about managing their servers or engaging with a third-party IT company to do it for them. We take care of firewalls, intrusion detection, and encryption, as well as protections and mitigations against many other common attack vectors.
Our databases also have point-in-time recovery enabled, which differs from conventional nightly backups. It allows us to restore to any point in time within the backup retention period. Backups must all be replicated to multiple locations, and secured by different credentials.
Our service has a failover mechanism, where if there’s an issue with the underlying server, we can switch to a stand-by instance that has a full copy of the data. To help in scanning for emerging threats, we employ proactive vulnerability testing, as well as periodic penetration testing.
And lastly, it’s crucial to have a plan. At CareLineLive, we have implemented a comprehensive disaster recovery plan which covers backups and restoration. This plan is regularly tested so that in the event of an issue, we can be confident in what actions to take to mitigate the fallout.
These measures we have implemented can minimise the impact of a data breach and ensure a swift recovery without compromising client data.
