While professional cyber criminals might be grabbing the headlines, dangers presented by internal threats are starting to raise serious concern among hospitals and clinics.
And, as the problem is only set to get worse as the volume of patient data and the number of systems increases, NHS and private organisations need to do more to protect information and reduce the likelihood of hefty fines for breaches.
To address this problem healthcare IT specialist, Caradigm, has published a new White Paper entitled A Comprehensive Strategy for Preventing Internal Breaches in Patient Data Security.
It is clear the problem is pervasive and only going to get worse as the volume of patient data and the number of systems and applications continues to grow and the boundaries between healthcare provider teams become more porous
The six-page document presents hospitals with solutions that can help them to balance the need for extended care teams to have immediate access to complete patient data, with the need to safeguard patients’ privacy and security.
This strategy encompasses deploying IT tools to approve users and control their data access, instituting best practice, and elevating security initiatives to senior management-level status in the organisation to help foster a culture of security-conscious users.
According to the BBC1 there may have been 10,000 NHS patients affected by data security breaches in 2013 alone. A risk analysis by the NHS also revealed there have been two million ‘serious date breaches’ of patient records since the start of 20112. And, in 2012, a Welsh health board became the first NHS organisation to be issued with a monetary penalty after a sensitive report containing explicit details relating to a patient’s health was sent to the wrong person3.
While most problems relate to the loss or theft of data, around a third of all breaches reported to the Department of Health concerned unauthorised disclosures, usually by staff working for the organisation.
The Caradigm White Paper states: “It is clear the problem is pervasive and only going to get worse as the volume of patient data and the number of systems and applications continues to grow and the boundaries between healthcare provider teams become more porous.
Adopting a holistic strategy for preventing data breaches can transform a good hospital into a model of excellence for the healthcare industry
“This places an urgency on hospitals to re-examine the way they share patient information and revise their approach to data security to include ways to deliver faster access to the right data at the right time and to the right people, with the ultimate goal being to improve care quality and outcomes.”
In 2014 the ICO reported that it issued £1.97m civil monetary penalties and seven enforcement notices4, but legal fees and other associated costs can make the consequences much greater for healthcare organisations. In addition breaches can seriously damage a hospital’s reputation and brand.
“Complacency is no longer at option,” the White Paper warns.
The document goes on to outline ways in which trusts can enhance security while at the same time ensuring medical staff have immediate access to vital patient data on which to base treatment plans.
It states: “To determine if their organisation is safeguarded against data breaches, organisations need to look at the data control factors that might be compromising compliance and therefore increasing their privacy and security risk. Risk assessment needs to be an ongoing process which is reviewed regularly.
“Data security measures need to be front and centre in all hospital activity involving access to patient information.”
Advice includes improving training of Caldicott Guardians, who are appointed in all trusts to take overall responsibility for protecting the confidentiality of patient and service user information. It also recommends implementing best practices in privacy security, with three critical lines of defence: ownership at management level for assessing, controlling and mitigating risk; establishing a working group to implement risk management practices; and creating an internal audit team to provide objective assurance to the board on how the hospital is doing.
Data security measures need to be front and centre in all hospital activity involving access to patient information
In addition, it calls for tighter provisioning and the introduction of integrated single sign-on and context management technology. This is particularly important in healthcare settings, where clinicians and other staff may use multiple workstations in various locations throughout the day. Most software solutions create an audit log which enables access to be tracked.
“Adopting a holistic strategy for preventing data breaches can transform a good hospital into a model of excellence for the healthcare industry,” the White Paper states.
1. NHS patient information in data breach by Diagnostic Health, BBC
2. NHS admits new medical records database could pose privacy risk, The Telegraph
3. ICO issues first penalty to NHS following serious data breach, Information Commissioner’s Office
4. Information Commissioner’s Annual Report and Financial Statements 2013/14, Information Commissioner’s Office