In November, two NHS care trusts found themselves victims of data theft. Not through sophisticated hacking techniques – but by someone walking out of the door with desktop computers.
There are few places where mishandling of data is more important than the NHS. Even in the best case, unauthorised sharing of confidential records is a gross breach of personal privacy. Such thefts suggest a number of grim possibilities including identity theft and blackmail under threat of publication.
This is a serious problem, and is symptomatic of a more dangerous trend in IT decision making – a focus on technical security at the expense of the basics. There is merit in spending money on sophisticated technology but not if you ignore the fundamentals of physical and online security.
Security professionals have, for some time, been trying to communicate the value of data and data security to those who are responsible for it. Unfortunately, while criminals listened closely and wised-up to the value of data, many of those responsible for keeping the data private did not.
These thefts, therefore, raise important but all too familiar issues: why wasn't the data encrypted? Why was it stored on an internal drive and not a securely held server? And why was there not adequate physical security in the building? Underlying all of these questions is the sad fact that people aren't taking information security seriously.
Furthermore, this goes beyond criminality. If medical information was being held on a hard drive and not a central server, was it being updated correctly? What if a doctor prescribes medicine, unaware that the patient has a fatal allergy because they are working from an outdated database? It's an extreme example, but if a sensible approach to data is not taken, something of this magnitude will happen sooner or later.
These problems do not have difficult solutions. Most are a matter of implementing simple procedures, many of which are covered in the Information Governance Toolkit, available through the Connecting for Health website.
But procedures are no use unless everyone is following them. That is not going to happen until organisations wake up to the fact that data is important, valuable and potentially catastrophic when not handled properly.
The solution starts with someone taking full responsibility for ensuring best practice security measures are implemented across the entire organisation. This has to include: ensuring that employees understand the impact of mishandling data; providing proper data handling training; and implementing personnel procedures to ensure employees do not compromise the system. These must be backed up by adequate sanctions for any unreasonable failures.
This is a big issue and will only escalate. If organisations don't handle this internally, the Information Commissioner's Office will start coming down harder on failures. The NHS is an important national institution and should not be let down by a few fundamental errors which undermine trust in the entire organisation. It is in everyone's interest that we get this right.
Technology is evolving and data security needs to keep pace. Healthcare professionals are migrating to mobile devices for calling up medical information, which will bring new issues. It is vital that we start taking this seriously now and get our data handling practices right. It is not acceptable to continue with blasé attitudes as we move forward into digital Britain.
Tony Dyhouse is director of the Cyber Security Programme for the Digital Systems Knowledge Transfer Network. The programme is the UK's focal point for cyber security expertise. It is an independent body funded by government which brings together business, government and academia to work together and develop effective responses to cyber security threats.
Comments
There are no comments yet for this article.