NHS taking an interest in how to improve security and reduce its data loss dilemmas

There is a whole new level of interest in securing medical data following revelations that the NHS is responsible for a third of the Information Commissioner's Office (ICO) reported data breaches.

David Ting, CTO of Imprivata, claimed that the situation in the UK is less complicated due to a lack of US-style notification laws, but with current activity 'the potential for loss is huge'.

He said that it was finding a 'whole new level of interest in security of health information' and to best protect itself, a practice needs to summarise users into three categories.

He said that these are: “Those that allow data to be exposed; those who have access to systems legitimately and have access to the system but look at it regardless including those that they have no right to look at; and malicious users. So you need to protect against all three. Most users do not have the time to be a security expert and so you have to integrate and make security invisible and be as sensible as you can. Look at the seams where information can leak out.”

Asked what advice could be passed on to practices where staff do not have the time or practicality to make security a priority, Ting advised that staff are made aware of the consequences and penalties.

He said: “Also consider password security, get an audit trail and look at how data gets integrated and figure out how to secure data at rest and in transit, also while it is in use, and hopefully you will have an audit trail to secure the movement of data. The issue of data and who controls it is more difficult to address, but we are still some way off.”

Commenting Colin Woodland, VP EMEA at IronKey, sympathised with the NHS, as following budget cuts this would be a challenge and most incidents were down to human error.

He said: “You have got to change the attitude and most people want to do something, businesses are looking for the right technology but it is about cost. Can you change the mindset? It is an education process and while it is not a core skill, they do what they are good at and make it easy. You do not want security to be a closed door.”

Sign up to our newsletters