How do we ensure robust health data security?
Health data needs to be recognised as a highly important asset and its security should be a top priority. Its value is immense. Structured and high-quality health data improves understanding of the diseases, enables faster detection and diagnoses, provides foundations for decision support in treating diseases, it is a basis for population health management and personalised medicine, to name just a few examples.
Health data also has a high financial value. According to EY, “the 55 million patient records held by the NHS today may have an indicative market value of several billion GBP to a commercial organisation. We also estimate that the value of the curated NHS dataset could be as much as 5 billion GBP per annum and deliver around 4.6 billion GBP of benefit to patients per annum, in potential operational savings for the NHS, enhanced patient outcomes and generation of wider economic benefits to the UK.”
Due to the above, the health data is often targeted by unauthorised groups and those looking to profit from its value illegally. Some of the highest health data risks regarding unauthorised access include:
- Ransomware attacks, which are the most pressing cybersecurity threats in the past few years. According to the 2019 Verizon Data Breach Investigation Report, “ransomware incidents were over 70% of all malware outbreaks in this vertical”. Small hospitals and healthcare centres are most often targeted because they have limited budget and resources for security. 
- Data theft by gaining physical access to the data storage system. IBM estimated the cost of health data breaches in the UK only was close to 3 million GBP last year. 
- Unauthorised data access via phishing attacks. To prevent these attacks, the health and care organisations must both train their staff in basic cybersecurity measures and identify warning signs of a potential attack.
Our security measures
Better Platform provides several features and measures that enable clients and partners to establish the highest possible security for their patients’ data. The Platform has a central clinical data repository meaning the data is stored in one place so that the security and access to it can be managed centrally.
In cloud-hosted solutions, Better utilises the best-of-breed cloud solutions to enhance data security, such as:
- SIEM (Security Information Event Management)
- Security centre
- End-to-end encryption
- Network segmentation
- Regular backups to a cloud location in another region
ISO 27001 standard: Better is fully compliant with the ISO 27001 standard: Information security management. We follow the standard’s requirements for establishing, implementing, maintaining, and continually improving the information security management system (ISMS) with the aim to make the information assets more secure.
UK NHS Digital Data Security and Protection Toolkit: Better is regularly performing assessments to measure our performance against the UK National Data Guardian’s 10 data security standards. Additionally, Better follows the NHS Health and social care cloud security – a good practice guide to ensure we are up to date with the data security measures. Better adheres to these requirements not only from the technical aspects but also within our internal work processes (for instance the Bring your own device policy). We follow the necessary requirements in all markets.
Role-based access control (RBAC) and attribute-based access controls (ABAC): with these features, Better solutions provide access to data in a controlled and clearly defined manner according to the organisation’s policies.
- RBAC defines access to certain application or data or allows certain actions according to a specific role of a user. For instance, only a doctor authorised for medicine prescription can prescribe medicines.
- ABAC further defines the access to data or actions according to the organisation’s policy. For instance, doctors can only prescribe medicines or access the data of patients who are at a specific hospital ward.
Audit trail: our solutions provide a complete audit trail for each user – all access and actions are tracked and securely stored to a separate server and can be reviewed.
Security measures in development processes: Better follows additional measures and policies that increase the security of our solutions:
- In the development phase, all code is assessed for security risks which are immediately mitigated.
- Code-reviews: senior developers assess all solutions prior to the production phase.
- Penetration testing is regularly performed with an external vendor to ensure further security improvements.
- Internal protocols for security fixes of live solutions
1: Chris Wayman, PhD and Natasha Hunerlach, CFA, CFE, MRICS: Realising the value of health care data: a framework for the future, EY, 2019, accessed 26 April at: https://www.ey.com/en_gl/life-sciences/how-we-can-place-a-value-on-health-care-data
2: Verizon: 2019 Data Breach Investigations Report, accessed 25 May at: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
3: RISKIQ I3 INTELLIGENCE BRIEF: Ransomware in Health Sector 2020, Accessed 25 May at: https://www.riskiq.com/wp-content/uploads/2020/04/Ransomware-in-Health-Sector-Intelligence-Brief-RiskIQ.pdf
4: IBM Security Cost of a Data Breach Report 2020, accessed 25 May at: https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/