Cybersecurity and patient protection

Abstract

Network-connected devices and data are vulnerable to attack, exploitation, and unintended loss. The alleged harvesting of profiles from 50 million people by Cambridge Analytica through friend networks on Facebook is the most recent and egregious example. In May, 2017, the WannaCry ransomware that infected more than 200 000 computers across 100 countries also infiltrated a third of National Health Service trusts, and brought some services to a standstill. Yet, despite agreement on the need for better cyber hygiene (risk management and online health), there is no consensus on what form it should take. The Royal Academy of Engineering's report Cyber Safety and Resilience, published on March 14, offers guidance. Health systems are vulnerable to cyber attack for several reasons. They contain many interconnected devices, from hospital-based equipment to patients in the community with implantable sensors; they lack standards for security in the products used; and cybersecurity is unlikely to be a priority when purchasing equipment. Furthermore, system failures have profound consequences for patients, both in clinical outcomes and the breach of personal data. The Academy recommends that organisations assess where vulnerabilities lie, identify risks, create an auditable plan to control them, and educate staff in cyber hygiene. Policy makers, to whom the report is directed, are urged to harmonise international standards for security in devices by using regulations that encourage, rather than stifle, innovation. Two upcoming European Union directives focus on security. The Security of Network and Information Systems Directive, which sets out requirements for crucial national services, including health, becomes law on May 9. On May 25, the General Data Protection Regulation will strengthen penalties for misuse of personal data. Soon, devices might be assessed as much on their cybersecurity as on performance in randomised trials. Patient wellbeing and protection depend on both. Likewise, just as Ignaz Semmelweis showed the benefit to patients of hand hygiene, so cyber hygiene should now be fundamental to good clinical practice. It is time to apply the dictum of primum non nocere to the digital age. What does the GDPR mean for the medical community?The General Data Protection Regulation will start in May across the European Union, but doubts are being cast on how prepared researchers and clinicians are. Becky McCall reports. Full-Text PDF