As the world has become more online, there has been a corresponding increase in cybersecurity incidents, most notably ransomware attacks.
We examine a recent decision issued by the Irish Data Protection Commission (DPC) against Centric Health Ltd. (Centric), a healthcare provider, who suffered a ransomware attack. We look at what the focus is on when assessing issues with data security practices in the aftermath of a data breach.
Centric’s data breach
Centric suffered a ransomware attack that resulted in its staff losing access to the patient administration system, affecting 70,000 patients. Personal data of 2,500 patients was permanently deleted due to back-ups of the system being affected.
The breached data included patients’ names, birth dates, PPS numbers (social security number equivalent), contact details, and some health data, considered special category data (SCD) which subject to higher protections.
Centric paid an unspecified ransom to the attackers in return for a decryptor key and while it did not pose any threat, the decryptor could not be applied to the affected data as it had been deleted in the interim.
Main takeaways from the DPC’s decision
- Risk analysis of processing personal data in order to determine the appropriate level of security: Centric failed to maintain documented accounts of risk assessments. The DPC stated it was important to carry out an assessment looking at the (1) likelihood of unauthorised access, taking into account that SCD was processed, and (2) severity of risks to rights and freedoms of data subjects. These assessments would have determined the level of appropriate security that should have been implemented.
- Policies alone are not enough: Centric had numerous policies, including an Information Technology Policy and a Patch Management Policy. However, these policies were not followed in practice and the steps in the policies were not carried out at the determined intervals set by the policies.
- Importance of applying security patches: Centric did not apply a large number of patches, released by Microsoft in 2018, to its operating system. The DPC found this demonstrative of a failure to ensure security of Centric’s IT systems as a whole, even though the patches may have not been enough to prevent installation of the ransomware.
- Importance of backups: The backups were infected at the time of the incident. A daily backup was taken but it was stored on the physical service and not off-site. Centric also did not have a business continuity plan and had a lack of records to demonstrate the testing of restores from the backup systems.
- Importance of password security and encryption: Centric’s passwords to log into the Patient Administrator System wouldn’t meet the standard for internet-facing services. In addition, the data at rest in the Patient Administrator System was not encrypted. The server was fully exposed to the internet with a password that could have been brute forced without much difficulty – which was what happened.
- Importance of a functioning firewall: The network firewall was fully exposed, allowing all inbound and outbound traffic through. The DPC found that security settings could have restricted access to known IP address range (whitelisting) and excluded the IP address of the bad actor.
The DPC’s decision demonstrates the importance of appropriate security. This involves conducting a risk assessment, adopting security measures appropriate to the risk posed, and evaluating the adequacy of these security measures. Also, policies and procedures need to be implemented in practice.
Security measures are an area that will keep attracting attention. The EU has in December passed the second Network Information Services Directive, which will capture an even broader range of services than the first Network Information Services Directive. This is part of the push from the EU to ensure a high common level of cybersecurity in today’s online world.
For more information on ensuring your organisation is fully compliant with all relevant regimes, contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.