PATIENT information may well be the most valuable type of personal data, containing information that is harder to change than a credit card and which can be used to make fake medical claims or purchase medications.

A patient’s health information is worth six to 10 times that of credit card information on the black market. Global identity leader ForgeRock’s 2021 Identity Breach Report revealed an increase in the number of health-care records breached in the first quarter of 2020 versus the first quarter of 2019, revealing an unprecedented 450 percent surge in breaches containing usernames and passwords globally.

The report also found unauthorised access was the leading cause of breaches for the third consecutive year, increasing year-over-year for the past two years, accounting for 43 percent of all breaches in 2020.

Recent studies have shown that the focus on theft of data moved from financial to health care as this type of information attracts bigger monetary value on the black market.

Organisations, especially in the health-care and financial sector, are recognising the true value of encrypting data, not only at rest but also in motion.

It’s especially important to encrypt data in light of the fact that, on July 1, 2021, the Protection of Personal Information Act (Popia) came into effect. The impact this will have on the health-care sector is immense.

Under Popia, health information (such as diagnoses, pathology results, blood pressure readings, etc) is not only considered personal information but is designated as “special personal information”.

This means data processors must take extra care when processing and storing these types of data. US-based QRS, which provides EHR and practice-management software, has been sued after an August 2021 ransomware attack led to the exposure of the data of 319 778 people.

In 2020, one of South Africa’s major hospital groups was the victim of an attack and had to take their systems off-line, after a “targeted criminal attack” on its IT system.

In the same year, the South African arm of fitness group Virgin Active was also the target of a ransomware attack by sophisticated cybercriminals. This could, perhaps, be because 40 percent of local health-care providers in South Africa still use medical equipment with legacy operating systems, which exposes them to cyberrisks and vulnerabilities, as revealed in Kaspersky’s latest 2021 Healthcare Industry report.

The two major challenges IT service providers in the health-care industry face are the high costs associated with protecting such sensitive information and the vast volumes of data that need to be stored and protected.

One’s personal information, like one’s ID number, date of birth, address, etc, are either set in stone or rarely change. This means that service providers can store and protect it more easily. Health-care information is constantly changing. The volume of data keeps growing. A simple patient consultation generates a huge volume of sensitive data.

With volume comes complexity, and with complexity comes more opportunities for criminals to slip in through the cracks.

When it comes to data security, organisations are expected to have the necessary controls in place to protect data in any form. Future-proofing cybersecurity is difficult because, essentially, no one knows what is around the corner.

No security system is 100 percent effective, and hackers are always preparing for a breach and ransomware attack, with large and small healthcare providers finding themselves as key targets regularly. Health care will always be a huge target for cyberthieves simply because of the amount of information created with every doctor’s appointment or surgical procedure.

The health-care industry was traditionally a little slow to embrace technological innovation. Many of the hospital groups are working on dated systems that leave them vulnerable to attacks.

This also speaks to a patient’s level of comfort in sharing their data.

The sharing of data between patients and doctors and between different health-care providers via an interoperable system will not only provide medical professionals with a more comprehensive view of a patient’s health, but will assist in eliminating tests that are being re-done, for example.

However, for a system like this to optimally function, patients need to feel confident that the health-care provider they share their data with can protect their data.

The ripple effect of this is that these providers will require the technology companies that store their data to have the best possible measures in place. This is where certifications like ISO27001 are crucial.

Any service provider that stores special personal information needs to make sure that their house is in order or run afoul of Popia.

Aside from the hefty fines that can be issued, the reputational damage a health-care provider or their IT service provider can suffer because of a data breach can be disastrous.