NHS Data Protection and Security incidents
health nhs security

NHS Data Protection and Security incidents

Worldwide, countries implement comprehensive regulations for the protection of personal data. This is especially important in health organizations where sensitive patient data are used, stored and exchanged.

NHS Business telephony security

At RSconnect we assist various health organizations – including NHS organizations in the UK – with the security of their business desktop telephones. A crucial domain since the unauthorized use of desktop telephones may give access to sensitive data and opens the door to data breach scenarios. It is exactly this where our security solutions focus on.

Data security and protection in the Health sector

However, there are of course many other data security risks to be faced by NHS organizations. It is interesting to have a look at the quarterly report of the ICO. The Information Commissioner’s Office is the UK’s independent body set up to uphold information rights. In their report over Q3 of 2016 they provided information about the number and type of security incidents in different sectors. This Data Security Incident Trends report covers General Business; Finance, Insurance & Credit; Local Government, Justice, Education and Health.

hospital beds with computer screens (credit: Hospital Municipal de Chiconcuac)

Now IT is used everywhere in medical institutes, IT and data security are crucial for hospitals.

Although the trends show stronger growth of security incidents for other sectors, the health sector outnumbers the other sectors by far in absolute figures. The ICO reported 239 incidents in the health sector for Q3. The ‘next worse’ score was local government (62), followed by “general business” (56). To its defense it must be said that the health sector is much further regarding mandatory disclosure of security incidents. A policy which many other sectors will only have implemented as part of new data protection legislation.

Data Security incidents in National Health Service organizations

Our software aims at IP telephony security, which is a topic that is too often ignored when developing data protection plans. Likewise, the non-IT areas are often also ignored. The ICO report shows that data protection needs a multi-disciplinary approach. When the incidents are reviewed, the number of real IT incidents (like DDoS and Fishing attacks) is small compared to the number of the more prosaic ‘physical and paper’ incidents. One of the top categories is for example posting, faxing and mailing personal data to the wrong recipient. In email often the result from the auto-fill option when people enter email addresses. Also the loss of paperwork, unencrypted storage devices like USB sticks etc. are ‘popular’ ways of losing data. The failure to redact data is often causing data breaches as well, as is the insecure disposal of paperwork.

It is one of the reasons we put so much stress on securing desktop telephones. Too many organizations invest vast amounts of money in advanced IT systems security but keep their back doors open.