NHS has much to do on data security

Tags: Data encryption ICO Security

16 Jun 2010

The NHS has much to do on data security and is still making “far too many” mistakes in securing patients’ personal and sensitive information, says the Information Commissioner’s Office.

The ICO says it remains highly concerned that data breaches involving people’s personal information are continuing to occur in NHS organisations.

NHS Stoke on Trent and Basingstoke and North Hampshire NHS Foundation Trust are the latest NHS bodies that have been found to have breached the Data Protection Act.

NHS Stoke on Trent has been criticised for having potentially "destroyed or misfiled" about 2,000 paper physiotherapy records.

Basingstoke and North Hampshire NHS Foundation Trust, meanwhile, has been found to have emailed an Excel spreadsheet containing 917 patients' pathology results to a department with "no business need to have access to the excessive amount of clinical records."

The spreadsheet was not password protected and was sent via unsecured email.

The chief executives of both NHS organisations have signed formal undertakings outlining that they will process personal information in line with the DPA. The ICO says that a quarter of all data breaches reported to it are from the NHS.

Mick Gorrill, head of enforcement at the ICO, said: “Everyone makes mistakes, but regrettably there are far too many within the NHS.

"Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information.”

NHS Stoke on Trent will apply physical security measures in respect of paper medical records, particularly when they are in transit.

Basingstoke and North Hampshire NHS Foundation Trust says it will only extract and transfer the minimum amount of personal information necessary for any processing requirement.

With immediate effect, it will encrypt all portable and mobile devices used to store and transmit personal data.

Jon Hoeksma

NHS tops ICO list of data breaches (01 Jun 2010) (13)
ICO spells out £500,000 penalty plans (14 Jan 2010) (1)
ICO issues privacy guide; Salford rapped (09 Jun 2009)

Readers Comments

Encrypted media

17 Jun 10 21:41

My organisation uses encrypted USB media. Unfortunately to save money, memory sticks are rationed by management & shared rather than being given to all, meaning that nobody every knows the password - it's not uncommon to see people leave these lying around with password on a post it note.

Encrypted Media

21 Jun 10 12:07

WE use a encrypted USB stick that has a management console in place so that if the user does lose password they call the IT service desk. The sticks vary from 1gb (around £14) and the console price varies depending on users. Try a quote from enquiries@inforeg.co.uk Regards, Keith

The Cost of Risk

21 Jun 10 15:27

I took my daughter for a bicycle ride on Fathers day along a river trail. Flat, no cars, beautiful day. We wore no helmets. The risk we took was almost infinitesimally small, but this will no doubt bring forth the outraged mob, tutting and wagging their fingers. But we had a lovely picnic and my daughter might ride bikes a bit more, get out a bit more, be a bit fitter and stop listening to death metal grunge.

Why is this story important? I'm trying to make a point about risk. Everything is about a balance of risk against benefit.

'potentially "destroyed or misfiled" about 2,000 paper physiotherapy records'

So What!

Some data was sent by email. So what! No data was compromised, its just complete nonsense and its costing you, innocent tax payer, millions of pounds to pay for hot air. How may cases have there been of data ‘intercepted’ during transit? None that I know of. Even if it is going on, if we never find out about it , its because it just isn’t important.

Who cares that a few thousand records might have got destroyed? Nobody sensible. Just people who are determined to make an industry out of minor infringements of arbitrary guidelines that have no real world effect.

I've made this point before, but what was the real world effect of 20 million children’s address records getting lost? Absolutely nothing. Just lots of people tutting and wagging their finger. We are wasting thousands, perhaps millions, of pounds on trying to lock down every possible combination of records getting lost or mislaid. We are chasing a paper dragon. If you want to see the biggest example of collective stupidity, just look into the pseudonymisation programme. Yes there is such a thing and it’s a complete waste of public money and will achieve absolutely nothing. Interestingly it’s only the English who are this stupid, the Welsh and Scots don’t seem to need a pseudonymisation programme. Perhaps that’s why they can afford to send their children to university with no fees.

Security is about a collective attitude and to be honest that attitude is pretty good in the NHS. Its amazing that, in such a huge business, all the doom and gloom merchants can come up with is some records might have been destroyed and an email was sent that didn’t go by NHS email (which isn’t that much more secure than internal email systems). No amount of regulation or clever technology will ever make a differecne. We need to move data about for the NHS to work, simple as that.

Now I expect this comment to draw out those who are being paid tax payers money to 'promote' security. It is in their interest to scare the crap out of you so you don’t mind continuing to waste tax money on this rubbish. Believe you me, you can’t afford these people and you dont need them. Stop worrying, most people in the NHS are very careful with your data and where there are breaches they are minor and have no real world impact.

Astonishing Attitude

21 Jun 10 16:19

@#3

The risk is not yours to take!

Its precisely this dim attitude to data referring to OTHER PEOPLE that is causing damage to the NHS.

I really do hope that commented has no access to unencrypted patient data - this is exactly the sort of person who should NOT have access to it for the reasons they themselves have stated.

Comment 3 is correct

21 Jun 10 23:13

Like it or not the brave person in number three is correct. It's so easy for you new puritans to get on that bandwagon that says we must spend ALL of our efforts on making data so called secure.

Consider for one second the cost of this versus the benefit using the good old 80:20 rule. Chasing down the last few percent is exponentially costly and not only is not worth it, it's also counterproductive and introduces risk.

To date to my knowledge despite so called data loss there has been no known genuine disclosure. In the interim how many people have died because we failed to have systems in place to effectively share data? Nobody knows.

Just remember that for every pound we spend doing one thing we take a pound away from something else. That's how the real world works!

Bold risk taking - With someone elses privacy at stake

22 Jun 10 18:42

Commenter #3 is indeed brave - whilst risking other peoples privacy.

Very brave indeed.

.....bring on the lawsuits - its seems to be the only thing some people will listen to. Perhaps after one or two "brave individuals" have been financially ruined will the concepts of "Private and Confidential" be realised.

Risk or no risk

23 Jun 10 09:34

I can't afford to take legal action against the trust that misused my data not once but three times. Believe me, if I could I would. My personal and clinical details were given to third parties without my permission and from the third parties to 4th, 5th.....

There was no reason to access my data let alone pass it.

It has taken me 2 years to stop this.

I have no trust in any NHS organization now and will never have a summary care record.

Risk

23 Jun 10 14:26

#3 makes very good point about real and perceived risks.

@4 and 6: There is a way to remove all risk of confidential data being lost, stolen, appropriated or misused. That way is not to store it in the first place.

If we want clinicians to have access to our records for the purposes of caring for our health, we have to accept that it will be stored on IT systems, and that the more those systems are able to communicate this information with each other, the more up to date and accurate this information will be, to the benefit of the quality of that care.

We also have to accept that with the benefits there are risks. Sooner or later something bad will happen. Human error or the totally unforeseeable. We can mitigate the risk somewhat, but we cannot ever eliminate that possibility. If we think we can we are deluding ourselves.

#6, are you for real? You'd see someone "financially ruined" for living in the real world rather than your cloud-cuckoo utopia? Maybe you should be in politics. Maybe you are.

It's precisely this pervasive atmosphere of litigiousness that has led to today's society being so ridiculously risk-averse.

Personal Information Promise

28 Jun 10 16:14

I attended the ICOs day out in Manchester when he launched this novel idea and, during the day, challenged this particular "promise" - "We promise to ...7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands." I said I couldn't sign up as I couldn't possibly make such a promise - somwhere some silly person will lose some data. I was rounded on by the ICO presenter in no uncertain manner, but still haven't signed up.

And when the ICO castigates the NHS for data "losses", is this not because we are so good at reporting these incidents that we make it to the top of his list.

I beg one final question - when NHS information goes astray, as it invariably will, has anyone ever been damaged in any way?

Don't misunderstand me - I am a firm advocate of information security but I am also a realist.