The Information Commissioner's Office (ICO), regulator of the Data Protection Act 1998 and other privacy related legislation, recently published its latest findings on reported security breaches involving personal data up to the end of June 2016. At first sight, the figures make for depressing reading for the health sector; of 545 reported breaches in the period from April 2015 to June 2016, nearly half (243) originated in the health sector. The next closest sector was local government, with 62 breaches.
All is not as it seems
However, this seemingly poor performance by the health sector is misleading due to the following two factors:
- Firstly because the NHS requires institutions and providers to report data breaches to the ICO. This is not a legal obligation, but imposed through the Health and Social Care Information Centre's (HSCIC) Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation, which came into force on 1 June 2013. The reporting is now done through the IG Toolkit website, which means that the ICO automatically receives notification of serious incidents. Breach notification is not mandatory for other data controllers (with the exception of communication providers under different legislation). Once reporting is mandatory for all sectors from 2018, it will be interesting to see if this very high proportion of health-sector breaches is evened out.
- Secondly because healthcare involves the processing of medical information, classed as sensitive personal data. Any breach involving sensitive personal data is automatically more significant and therefore more likely to fall within the parameters of breach that should be reported according to the ICO's guidance.
So the very high number of health sector breaches is not solely due to substantially worse security practices in the health sector than elsewhere.
Another reason for the health sector to take heart is that the biggest numbers of breaches are caused issues that are relatively simple to address, such as:
- Human error when data is posted or faxed to the incorrect recipients. This can be addressed by better training of personnel, setting automated reminders if emails are being sent to a large number of recipients and disabling autocomplete to prevent the software automatically completing a different recipient address to the one that the sender intended. So, this does not involve an expensive solution. The consequences of these types of breaches though are expensive; one Foundation Trust received a fine this quarter for failing to use the bcc function when sending out a newsletter to patients of a HIV clinic;
- Loss or theft of paperwork. Whilst theft is harder to prevent entirely, simple procedures to lock away paperwork or allow access to it in secure locations only can reduce the risk;
- Unencrypted devices. This goes hand-in-hand with loss. If a laptop is lost or stolen, the fact of the loss is much less significant if it is encrypted. This does involve some additional spend to ensure that devices are properly encrypted, but it is vital in the event of a loss. The ICO regards encryption as a basic step to ensuring adequate security. Its application can be centrally controlled by an organisation, removing reliance on the vigilance of staff. The importance of encryption has been highlighted in the new General Data Protection Regulations as, if data is lost or accessed without permission but it is encrypted, then the data controller will not have to notify data subjects of the breach.
So, what next?
Data security is an issue which will not go away. On the regulatory side, the hugely inflated levels of fines in the new General Data Protection Regulation (up to 4% of annual global revenue or £20million), which will come into force on 25 May 2018, bring compliance with data protection laws into sharp focus and put them on the corporate governance radar. Within the sector, Dame Fiona Caldicott published her Review of Data Security, Consent and Opt-outs in June 2016 which urged the health sector to address security as a blocker to patient trust and the sector's ability to share data. At grass roots level, data is being collected, transferred and used in more and more ways to enhance patient outcomes by providing more personalised medicine, better monitoring of health, increased accessibility to healthcare (i.e. remote delivery and consultations), more efficient journeys through the NHS system and better whole population management.
NHS Digital (previously HSCIC) is leading the way with its new CareCERT programme and products in order to change the approach toward security in health organisations. Various data security schemes and standards do already exist: the Information Governance Toolkit (IG Toolkit), the Cyber Essentials Scheme, the 10 Steps to Cyber Security, and the ISO/IEC27000 series. However, the IG Toolkit has often been seen as a tick-box exercise, the Cyber Essentials scheme is not yet widely used and the ISO standards are generally regarded as too expensive and time-consuming for this sector.
So, NHS Digital has created the Care Computer Emergency Response Team (CareCERT), which will issue national level threat advisories, publish good practice and guidance and run a national cyber security incident management function to try to put the NHS one step ahead of cyber attacks and vulnerabilities. CareCERT is still in its infancy (launched in October 2015 with three new services in September 2016) so it is too early to judge its success, although case studies from two early examples have shown it is having a positive impact. Its clear objective though is to overcome the public perception of distrust and, coloured by reports from regulators like the ICO, belief that health information is not secure when handled by the NHS.
It is vital that the health sector shows patients that they can trust it with their data in order to encourage patients to engage with the new tools available to them, which will bring healthcare benefits to individuals and society as a whole. The playing field is not currently level, as the NHS expects health organisations to report breaches. The majority of those breaches can be fixed easily as long as the sector implements some basic measures. This needs to happen before reporting is mandatory across all sectors to ensure that the health sector does not continue to make the headlines for the wrong reasons. It is also crucial to allow the health sector to take full advantage of digital transformation and innovation.