Data security incidents in the health sector

The latest figures for security breaches in the healthcare sector show all too clearly why hospitals, surgeries and other medical organisations need to take particular care with confidential data.

In the figures for 2016 data security breaches recently released by the Information Commissioner’s Office (ICO), healthcare was far and away the worst-performing sector, accounting for 876 of 2168 breaches, or a huge 40% of the total.

Why does the health sector suffer so many security breaches? It’s partly down to its size, and the sheer amount of confidential data on patients and staff that it must handle. Those thousands of medical records, all containing highly sensitive data, make healthcare a ‘honeypot’ for information thieves. Medical identity theft is a growing problem in the UK, as is medical insurance fraud.

There are certain ways of dealing with data that are specific to the health sector, which raise particular risks. For example, tablets and mobile devices are often used to record patients’ details in healthcare settings. Because of an expectation that these devices will be used by individual owners, they often have an ‘auto-fill’ function enabled by default, which remembers personal details entered into online forms. If this is not deactivated, the next user of a device might see the previous user’s details appearing in a form.

There were 10 cases of data loss due to cybersecurity misconfiguration in the sector during 2016, and 25 cyber incidents overall.

However, not all the problems are digital in origin. The handling and disposal of paper records is another area where healthcare organisations can run into problems. In addition to patient notes and records, X-ray films and even staff notes can all have value to thieves.

According to the ICO, during 2016 there were 47 instances of paperwork being disposed of in an insecure way, and 168 where paperwork was lost or stolen. Data was left in an insecure location on 41 occasions, and it was posted or faxed to an incorrect recipient no fewer than 195 times.

Digital security issues are complex, even for IT professionals. But when it comes to disposing of confidential records held on paper, there’s an easy solution. A professional shredding company such as Shred Station can make sure all used records are securely destroyed, providing a certificate of destruction as proof.

Our trained employees undergo rigorous vetting and security checks in line with BS7858 and we are accredited to the highest standards as a security shredding provider in the UK. Shredding can be carried out on site, or at our own secure premises, with regular collections available if required. To learn more, visit our services pages.