Medical records are a prime target for information thieves, making it essential for organisations to keep healthcare confidential data secure and dispose of in a responsible manner when no longer required.
Medical records contain some of the most sensitive personal data to be found anywhere. As a result, they have high potential value for information thieves, and are often targeted by hackers.
The Information Commissioner’s Office (ICO) is responsible for overseeing data governance in the UK, and all government departments report to it. Last year, the ICO revealed that healthcare suffered more data breaches than any other sector in the UK. In fact, around half of all reported data breaches took place at health organisations, both public and private.
For example, the last quarter of 2015 saw no fewer than 184 security breaches in the healthcare sector. That put healthcare well ahead of the next highest sector, local government, which reported 43 breaches in the same period.
Medical identity theft is a growing problem in the UK. This is when criminals use fake identification to obtain prescription drugs, whether through pharmacies or just on the black market. It often goes hand in hand with the misuse of healthcare insurance, and can have serious repercussions for medical staff and patients alike.
With so many worrying data breaches in the healthcare sector, it’s vital that staff in charge of medical records understand how to manage them properly in order to comply with legislation and protect patients.
Healthcare organisations’ obligations under the law
If you handle patient information, you’re legally obliged to protect it. The Data Protection Act says that you should only collect information that you need for a specific purpose. You must make sure that it’s kept securely, and that it’s relevant and up to date. You should only hold as much as you need, for as long as you need it. Finally, the subject of the information – that is, the person it refers to – is allowed to see it whenever they ask. The ICO has provided resources specifically for the health sector on their website to help operate in line with the Data Protection Act.
A key part of information security is ensuring that records are properly disposed of when they’re no longer needed. Physical shredding can play a key role here, by helping organisations ensure that healthcare confidential data is destroyed in a secure, confidential way, so it cannot be retrieved or used by information thieves.
Types of healthcare confidential data suitable for shredding
- Patient notes and records that are held on paper contain extensive personal information on patients and their medical histories. Keeping this information confidential is the foundation of trust between doctor and patient, and it’s essential that it’s stored safely and securely destroyed when no longer needed.
- X-ray films are confidential medical records too, with the same status as paper or electronic records. They can contain identifying information about the patient, which could allow an information thief to discover medical details about them. While they were once regarded as transitory – that is, not to be kept at all – there is a trend for them to be held for longer periods. They also need to be treated as confidential waste.
- Staff rotas and other personnel records may not involve patients, but they can still contain confidential information and should be securely shredded when they’re no longer needed.
Shred Station offers a secure shredding service for public and private healthcare organisations throughout the UK, including hospitals, local health trusts, clinical commissioning groups (CCGs), doctors’ and GPs’ surgeries, medical centres, private clinics, pharmacies, care home providers and domiciliary care organisations.
We can carry out shredding at your premises, or alternatively at our own fully secure depots. Our trained employees undergo rigorous vetting and security checks in line with BS7858 and we are accredited to the highest standards as a security shredding provider in the UK. Please see our accreditations page for details.