- Smart Healthcare, Wednesday 2 December 2009 09.00 GMT
Path less travelled: IT security can vary from trust to trust, but those outside cities can find it easier to recruit good candidates. Photo of north Devon coast: jiunlimited.com
Mention security to anyone involved in NHS IT and you're likely to elicit more than a few war stories. While the media has reported a stream of data losses and leaks – ranging from Scotland's patient records incident a year ago through to the revelations in late May when NHS London reported 76 "serious untoward incidents" – it could be argued that the sheer size of the NHS means it will always be a source of such incidents.
But the situation could be getting worse. In June of this year, the Information Commissioner's Office (ICO) warned that the personal data of patients is still being compromised by "shocking" examples of poor security. Assistant commissioner Mick Gorrill gave a damning verdict on the NHS's efforts to improve its data security after a series of high profile breaches in recent years.
Gorrill, who spoke at the North East Fraud Forum's annual conference in Gateshead, said: "We have found that lots of organisations, particularly the NHS, aren't up to scratch with the necessary precautions to secure data."
"There is some shocking evidence of poor security in NHS organisations and we are trying to work with them to ensure that there is change," he added.
Citing a recent example of a hospital which left old computers holding data from 2,500 medical records out in the street to be accidentally removed by local refuse collectors, Gorrill painted a bleak picture of IT security understanding within the NHS.
In another recent incident, he said that an NHS representative donated a handbag to a charity shop, unaware that it contained a USB stick used to store patient information.
Has the situation changed? It doesn't look like it because, as reported by Smarthealthcare.com last month, the ICO chastised the NHS over the fact that its operations were responsible for 30% of the security breaches reported to it in the last two years.
Securing the country
The NHS is formed of hundreds of organisations. Clive Peacock, who leads the IT security team for Manchester-based Salford Software and works with more than 40 trusts, says some do a very good job – especially those in rural areas such as in Devon and Cornwall.
"In the city there's a lot more competition for IT staff, so it's natural that, as a major employer nationally, the NHS will attract a higher calibre of staff in more rural areas of the UK," he says.
Other trusts have improved their security through a strong use of identity and access management systems, Peacock adds. "The South London and Maudsley NHS Foundation Trust, for example, now has the capability to provision users on its access management system across the board within 24 hours of its IT services staff being notified about a new member of staff," he said. "This shows what can be done with the right levels of integration between human resources and IT services."
But this can lead to problems when the HR database isn't up to scratch. "We've come across instances where the names, dates of birth and even national insurance numbers do not match up with the ones that employees actually have," he says.
Another potential problem for NHS trusts is the red tape involved in selling them IT security, according to Steve Howes, chief executive of Huntingdon-based company Gridsure, which has developed a pictorial authentication system that can replace passwords and PINs.
Howes says the tendering process usually results in the cheapest option being selected, which may not be the best: "This makes the task of selling IT security into the NHS a lot more expensive than it could be. This undoubtedly puts a lot of vendors off, especially when they invest time and money into the selling process and then fail to secure the contract."
"On the authentication front, it may be easier to look at using mobile phones as devices, as this removes the cost of single sign-on devices from the IT equation," Howes argues, adding that that using a mobile phone for authentication would cut the likelihood of staff sharing passwords and authentication devices.
However, software-based security is always going to be cheaper to implement than hardware, which means Howes' firm is unlikely to make sales to trusts that always go for the cheapest product.
As long as the NHS, whether across a country or in individual trusts, goes for the lowest-cost IT security, there is a danger of data breaches continuing.
But the price issue is something that NHS managers and their suppliers will have to live with for some time to come, owing to the parlous state of the UK's public sector finances.
Staff
You have characters left
Please read our community standards.
Closing this window without pressing "Post your comment" will result in your words being lost.
Are you sure?
Thank you for your comment. This has been submitted for moderation.
Your comment has been successfully posted.
Sorry, something has gone wrong and this action cannot be completed. Please try again later.