Data
Page 27
Data Protection in the HSE: a Case for Blockchain Technology By Ursala McDonnell, JS Law and Political Science As conservators of patients’ sensitive medical information, healthcare systems require a unique level of security and privacy. Healthcare providers enter information into special databases that are structured to improve patients’ privacy rights. Nevertheless, in the wake of the cyberattack on the Health Care Executive (HSE), the current systems in place are not sufficient to carry out this function. This article seeks to investigate the implications of adopting blockchain to tackle the cybersecurity issues within the HSE to prevent future crises. The Health Service Executive operates as the primary national public health system in Ireland. Under the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988-2018, the HSE is obliged to safeguard the privacy rights of patients with respect to the regulation and processing of personal information. Such a duty was severely impaired by the aggressive cyberattack which targeted their IT infrastructures in 2021. On 14 May 2021, the HSE’s IT systems were infiltrated using Conti ransomware, causing all of their systems to fail. Conti usually forces a ransom payment by stealing files and encoding IT systems and workstations to prevent access. In instances where the ransom is not discharged, the Conti hackers will sell or publish the misappropriated information to public websites they administer themselves. In the case of the HSE, Conti gained access to its IT infrastructure by sending an email to a user of an HSE workstation. This email contained a malicious Microsoft Excel file which the user opened, thereby granting access. After securing access, 80 per cent of the HSE’s IT systems were encrypted. In addition, the hackers blocked access to diagnostics and medical records, released the private data of thousands of recipients of the COVID-19 vaccine, and exfiltrated uncoded data such as protected health information. After the initial access, the hackers operated in the system for two months before the ransomware detonation occurred in May. The event has been regarded as the most significant cyberattack on an Irish state agency and further, the largest known cyberattack against a healthcare service computer system. One question remains:
How could a cyberattack of such nature be operated on what was supposed to be a highly safeguarded system? It may be argued that the HSE neglected its duty to protect the private data of individuals in its failure to develop an adequate cybersecurity strategy. Indeed, in the Independent Post Incident Review on the HSE’s operational and technical preparedness for the crisis, it was found that the healthcare provider had a low level of cybersecurity maturity and as a result was insufficiently equipped to deal with the hacking. This cyberattack has revealed a stark need for the healthcare system to re-evaluate its cybersecurity strategies in order to prevent the future occurrence of a similar infiltration. Indeed, an attack of this nature is not unique to the Irish healthcare system. According to the FBI, more than 400 healthcare networks have fallen victim to similar attacks worldwide. Researchers have identified alternative methods of protecting the private data of patients in order to prevent cyberattacks on medical databases, with some underlining the usefulness of blockchain technology to address these cybersecurity challenges in healthcare. Blockchain is employed to record data in a way that renders the altering, hacking, or cheating of a computer system virtually impossible. Launched in 2009, it has gained widespread attention for its ability to provide
