Healthcare organisations hold confidential patient data and are required by law to keep this information secure from loss, inappropriate disclosure or access. This includes electronic and paper records. According to ICO data¹, 6,035 data breach incidents were reported in the health sector between Q2 of 2019 and Q3 of 2022. It was the sector with the highest number of breaches in 2022, which is concerning considering the sensitive nature of the data collected by health organisations.
Due to the lack of framework for financial impacts of cyber attacks and data breaches, it is difficult to estimate the financial impact of these breaches. But it should be noted that fines of up to £17.5 million or 4% of the total turnover in the preceding financial year can be issued to any bodies failing to comply with the data security rules issued by the ICO², with one NHS Trust having recently been fined £78,4003.
There are signs of improvement in data security within the health sector as the number of breaches has reduced over time – 1015 in the first half of 2021 compared to 851 in the first half of 2022. This information indicates that health organisations may be taking steps to improve their data security, but further steps can be taken in the future to reduce this number even more. To discuss how data security in healthcare could be improved, we’ve attempted to group the different kinds of breaches based on their causes and made some suggestions on how these issues could be prevented below.
Seeing as the majority of data breaches were non-cyber incidents related to outdated technology and paperwork being lost/sent to the wrong person/incorrectly disposed of, this suggests that despite the NHS’s attempts to go paperless, there is still a high level of reliance on paper which leads to data security issues. Therefore, healthcare organisations should try to reduce their dependence on paper records and invest more in electronic records and interoperable systems.
Clinical communication software could also help avoid some of the data security issues outlined above. With the ability to access a contact directory of all colleagues and message them either by selecting their name or their role, the possibility of contacting the wrong person or accidentally sending information to someone outside of your organisation would be minimised. Furthermore, by integrating clinical communication software with the hospital’s EPR system, the Trust could ensure that all information shared between staff is up-to-date and factual. Using clinical communication apps, such as Alertive, would also mean that all internal comms would be encrypted and secure, unlike some other forms of communication that are commonly used in hospitals:
“Historically, we know that the Trust was using a number of different ways of communicating Bleeps, DECT phones, WhatsApp and Teams, and not always in the right way. What Alertive enables is a safe way to securely message patient information.”
Emily Wells, CNIO
Norfolk and Norwich University Hospitals NHS Trust
▶ Click here to watch the full video interviews
One way to improve digital security is to follow all the up-to-date cyber security guidance and cyber alerts NHS Digital publishes – as new security updates and warnings are published nearly every day, it is important to stay up to date with all the latest information. Ensuring that all staff are properly trained in cyber security protocols can help with awareness of potential security issues and ensure that protocols are followed more closely. It is also essential to create a security culture that encourages staff to report any potential breaches or mistakes with the reassurance that their organisation will provide them with support and training rather than disciplinary action.
We believe that by improving these four areas, data security in the healthcare industry can be significantly improved, enabling patients to be confident that their data will not end up in the wrong hands.
¹ Data security incident trends. (2022). ICO. https://ico.org.uk/action-weve-taken/data-security-incident-trends/
² Penalties. (2022). ICO. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-le-processing/penalties/
3 ICO sets out revised approach to public sector enforcement. (2022). ICO. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/06/ico-sets-out-revised-approach-to-public-sector-enforcement/