Call made for security education for NHS as personal details are lost on unencrypted devices

News by Dan Raywood

The security industry should come together to educate NHS trusts and other organisations on simple measures to protect data.

The security industry should come together to educate NHS trusts and other organisations on simple measures to protect data.

BlockMaster CSO Anders Pettersson claimed that the workload incurred by the NHS is hard enough without the consideration of data protection and the constant negative publicity that is caused by it.

News emerged recently that five NHS trusts were found to be in breach of the Data Protection Act by the Information Commissioner's Office (ICO). The five trusts were the Royal Free Hampstead NHS Trust, Chelsea and Westminster Hospital Foundation Trust, Epsom and St Helier University Hospitals NHS Foundation Trust, Surrey and Sussex Healthcare NHS Trust and Hampshire Partnership NHS Foundation Trust.

Reported losses included: an unencrypted compact disk with unconfirmed contents by the Royal Free; an unencrypted memory stick containing 143 patient details, including sensitive medical information by Chelsea and Westminster; and the theft of an unencrypted laptop computer holding the personal data of 349 patients and 258 staff by Hampshire.

Epsom and St Helier was in breach after it was discovered that it was storing hospital records insecurely for nearly two years following data being transferred between hospitals. Surrey and Sussex breached the DPA twice. A ward handover sheet, containing information relating to 23 patients in the care of the trust, was found on a bus and two unencrypted laptop computers were stolen from behind three locked doors.

Pettersson said: “It is alarming to see more NHS trusts losing data and being reprimanded by the ICO. You think the NHS would know by now that it is critical to take a proactive approach to security to ensure sensitive patient records don't fall into the wrong hands. This way the loss or theft of a device won't turn into a breach and create this sort of public humiliation, resulting in a complete loss of confidence.

He recommended educating on simple measures that can be put in place to protect data, such as implementing a policy for all portable devices to be encrypted, whilst also ensuring this does not impact usability.

“Employee adoption is also a critical part of implementing new security practices, particularly in the NHS where the adoption of new technologies is on the whole quite slow. Only if all these measures are taken will we start to see data breaches reduce,” said Pettersson.

Sally-Anne Poole, head of enforcement and investigations at the ICO, said: "Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews