This article argues that public sector organisations, including the NHS, should have no excuse for losing data accidentally through the loss of USB devices and asks whether, due to the exceptionally low price of secure USBs, should every NHS employee be issued with one?
Public sector organisations such as the NHS and HMRC are responsible for handling some of the most-sensitive data in the country. As such if, and when, a security breach occurs, it can have potentially-devastating repercussions for both the organisations and those millions of citizens or patients who place their trust in the NHS to keep their data safe, and whose data can be compromised by such an event.
Mobile devices are simple to carry from one workplace to the next, but they can be easy to lose. To protect our data, we need a way to prevent unauthorised people from accessing the contents of a lost or stolen device
The loss of intellectual data is unfortunately still a very-real problem. In September 2014, Forrester Research published a brief entitled Stolen and Lost Devices Are Putting Personal Healthcare Information at Risk. Among the findings were two important trends. Firstly, healthcare is becoming more mobile with approximately a third of healthcare employees now working outside the office or clinic at least once a week. Secondly, healthcare records are five times more likely to be lost due to device theft or accidental loss.*
Today, personal healthcare information (PHI) records are more accessible than ever before. These records contain important personal information such as social security numbers, medical history, and insurance information.
Technological progression in the medical world is giving us advancements such as real-time medical data on our smartphones and mobile messaging systems so that hospital staff can get to patients faster. Although this progression is exciting, with all of this patient information floating around in technology, it makes it harder to keep our data safe.
Data mobility
With so much mobility, it’s not surprising that data protection has become a big problem. Mobile devices are simple to carry from one workplace to the next, but they can be easy to lose. To protect our data, we need a way to prevent unauthorised people from accessing the contents of a lost or stolen device.
As healthcare becomes a fast adopter of mobile technology, one of the simple and easy security messages is - improve patient data security by encryption. In addition, carry out privacy and security assessments regularly so that it is budgeted and expected. At the same time, be pro-active about patient data security, look to see if you have any security gaps, and firmly close them.
Healthcare providers are under enormous pressure to improve quality of care and operational efficiencies, often through the use of mobile workforces and contractors. Somehow, they must achieve all this while meeting stringent requirements for ensuring that patient data remains private.
Paying the price
Healthcare providers are under enormous pressure to improve quality of care and operational efficiencies, often through the use of mobile workforces and contractors. Somehow, they must achieve all this while meeting stringent requirements for ensuring that patient data remains private
Within the NHS, as with any public sector organisation, there are strict guidelines regarding the security of sensitive data, and the Information Commissioner’s Office (ICO) can now subject the NHS to compulsory data protection audits in a move aimed at slashing the number of data loss incidents in the health service.
These powers have given the ICO the right to investigate England’s NHS, GP surgeries, NHS trusts and community healthcare Councils, as well as equivalent bodies in Scotland, Wales and Northern Ireland.
With breaches frequently making the news, the NHS has not escaped the headlines, with NHS Surrey being fined £200,000 by the ICO after 3,000 patient records were discovered on an auctioned computer. A Welsh NHS trust was also penalised after a doctor emailed patient data to someone with a similar surname.
Data security
Data security solutions focused on strong encryption and identity and policy-based data management are certainly the way forward as mobility in the healthcare industry increases. Data security requires security encrypted devices that protect digital identities and applications wherever they reside.
Mobile data security requires a two-pronged approach simply by using only drives, such as USB devices, that offer encryption supported by data management. That way, if the USB or hard drive is lost or stolen, the contents remain obscured and inaccessible.
The second part of the approach is a management capability that brings control to the data on the device. If a device is lost, for example, and IT has any suspicions when someone attempts to access the data, they can remotely wipe the hardware device so it cannot be read. These steps will ensure confidential and private information on USB and external drives remains protected, particularly if the drive is lost or stolen and lands in the wrong hands.
Health organisations should also look at adopting a centralised management platform to put the organisation firmly in charge of its data access and not rely on the diligence of mobile workers who carry sensitive healthcare data with them
Health organisations should also look at adopting a centralised management platform to put the organisation firmly in charge of its data access and not rely on the diligence of mobile workers who carry sensitive healthcare data with them.
Health organisations have not taken charge of their data security and compliance to avoid potential data breaches and hefty fines, not to mention reputational damage. Healthcare facilities need to address the realities of mobile work practices, but they also need to protect the information in their care. The task is made a lot easier with a good device policy and the right tools.
