The NHS is increasingly at risk of data breaches with its accumulation of patient records, and digital security risks. What are some of the approaches that IT staff, and Healthcare administrators can take to keep the risk as low as possible that data breaches occur? Its a difficult proposition. As records become ever more accessible digitally, so does the security and vulnerabilities increase.
English Hospital Failings
The NHS has many examples of data loss. There has reportedly been information regarding patients health sent to the wrong emails. The problem with the NHS data loss is nationwide. Its as bad in England as it is in the devolved governments of Wales, Scotland and Northern Ireland. Its not just email, and digital technology that plays a part in data breaches, its also paper based records. February 2015 saw an incident involving mainly paper based records at North Tees and Hartlepool NHS Foundation Trust. The Information Commissioner’s Office (ICO) commented that there was an incident where there had been a folder with highly sensitive medical documents containing patient data had been left at a bus stop. Luckily it had been handed in by a member of the public, but its this kind of regular lack of data security that has promoted the ICO to issue them with an enforcement notice to review their security policies, and put an action plan to restrict this type of thing from happening again.
Devolved NHS Hospitals
In 2014 the ICO took action against the NHS Grampian in Scotland, due to there being 6 data breaches over the period of 13 months. Sensitive patient paperwork had been left in various public places around the hospital, and in one disturbing case, material had been left at a supermarket. In Wales, the ICO gave criticism to north Wales’s Betsi Cadwaladr University Health Board. They sent out 8 letters of patients to one of the people who were affected at the time. It was found that they could have all just been seen by their local GP, and the employee that had made the mistake had received no data protection training on the job.
The Information Commissioner’s Office (ICO) was given the power in February 2015 to force any of the public healthcare organisations to a compulsory audit. Originally the power had only been granted to central government, but to increase the effectiveness and lower the government bureaucracy it was given to the ICO. Its not a power that the ICO want to impose on hospitals said the head of ICO’s good practice department. Instead they planned to operate on consent, and have spoken to a number of NHS trusts about a required audit for the 2015/16 period. All the trusts involved had cooperated willingly, and unless a voluntary audit was refused they wouldn’t use the power of a compulsory audit extensively.
The reason for the upsurge in ICO activity comes from the number of complaints that have come in from the public regarding health care. Its through these audits that they also pick up on undiscovered vulnerabilities. Another big vulnerability that was highlighted was patient records being posted or faxed to the wrong individuals, or third parties. Surprisingly there was also issues with the theft of paperwork and unsurprisingly the theft of devices such as laptop’s and flash drives was deemed to be a concern. The preventive measures were mostly claimed to be better digital security, as the health secretary Jeremy Hunt had committed to moving the NHS to a paperless state.
There was an NHS trust highlighted as an example of taking adequate digital security measures. They issued their community staff with encrypted laptops to use, and committed to use asset tagging and allowing access to the trusts system via a virtual private network. The time that trust staff spent with patients was dramatically increased, as they didn’t have to report back to their main office to deal with paperwork. The ICO has recommended that organizations conduct what is known as a privacy impact assessment. This would be prioritised to look at the risks of using paper based systems, and the highlight of ever increasing incidents of data breaches.
It was highlighted by the ICO that regular staff training should take place in regards to security. Users of trust systems had to be aware that they should enforce secure, and regularly changed passwords, and how to control the use of USB devices. There were a couple of NHS trusts that were highlighted to have trained their staff to use a managed print service. This is when staff use a fob key, and a personal pin number to pickup their printing. It was first introduced as a cost saving measure, but had also reduced the amount of errors where people would pick up the wrong printed material or include someone else’s sheets while they were picking up their own.
Solent NHS trust even went so far as to secure its paper based system with smart card access. These were new ways of working, but after staff training was complete, they were used intuitively. Staff were obliged to complete an online annual information governance refresher course at Solent NHS trust. Seminars for junior doctors was introduced, along with regular newsletters, daily emails, screen savers and posters targeting all members of staff. 95% of staff were trained through these measures, and this was closely monitored by the trust.
The future of record keeping is becoming increasingly digital, and it could be considered that as a younger more digital literate generation is coming through into the workforce, it will become easier to work this way. This may be true, but the reluctance for individuals to govern the security of their own Facebook accounts, opens the door to the ever increasing risk of data breaches in the healthcare industry.