Data leaks and the NHS: Why they happen and how to stop them5 min read
A Tooting based NHS trust recently hit the headlines when a patient’s cancer diagnosis was accidentally shared with the wrong person.
Mr Pillay was undergoing treatment at St George’s Hospital when his daughter submitted a complaint regarding his care. Whilst under investigation, a response was mistakenly shared with Mr Pillay’s niece rather than his daughter, thereby revealing details of his illness to a family member who had previously been unaware.
This is one example of many whereby human error in digital communications has had catastrophic effects for NHS patients, begging the question:
Why do data leaks in the healthcare sector still happen and how can they be prevented?
So far this year, 1,609 of the incidents reported to the ICO originated in the healthcare sector - over 20% of all reports.
We are all well versed in inbound data breaches - malicious attacks designed to trick employees into handing over sensitive data, or ever-smarter hackers gaining access to corporate networks. In a recent survey into digital security and workplace productivity, we learned that nearly half of IT leaders consider malware and phishing to be their organization’s biggest security concern.
However, it may surprise you to learn that of the 1,609 reported incidents, a huge 81% (1,318) of these were due to ‘non-cyber related’ causes - i.e. human error.
15% of these were the result of data being accidentally emailed to the wrong person, as with the incident at St George’s Hospital.
This points towards an imbalance between where security threats are presumed to be and the action being taken to prevent them.
Simply put, the more data we handle, the more likely it is that an incident will occur. And, with the NHS handling millions of patient’s data every day, it is no surprise that accidents happen.
“We know, historically, that most data breaches reported to Datix originated from corporate teams (...) In the NHS, the sensitive data we handle isn’t only limited to patient data or clinical information - it’s corporate data, too.” - Sarah Judge, West Suffolk NHS Foundation Trust
How healthcare professionals can prevent data leaks
In a recent survey into digital security and workplace productivity, we found that 88% of employees rely on email to get the job done, with 81% considering it to be the most secure way of sharing sensitive data.
Email, however, isn’t as watertight as you might think. Unfortunately, while the majority of organizations today have applied security measures to prevent incoming attacks, outbound errors keep happening.
This is because incidents resulting from human error (such as that at St George’s Hospital and countless others) are often considered unavoidable. Or the solutions employed to prevent these kinds of incidents simply aren't up to scratch.
However, this is no longer the case.
Progressive digital security teams realize that traditional email clients are not robust enough to ensure the required levels of security today. Equally, simply expecting people to behave securely is unrealistic and places an enormous amount of pressure on busy employees.
Indeed, our Freedom to Focus research found that 41% of employees feel the biggest barrier to their focus is bureaucracy and process overload.
In recognition of this issue, IT leaders are seeking to strike a balance between digital communications security and employee productivity. How are they doing this? By leveraging security solutions to enhance existing email clients with advanced encryption and in-the-moment error prevention functionality.
These next generation solutions do not require employees to change their behaviors, learn how to navigate a new system, or switch between platforms to engage with different stakeholders. Their email still looks and feels the same - it’s just a lot smarter, and far more secure as a result.
Autofill errors, accidentally sending emails to the wrong person, or mistakenly cc’ing recipients instead of using Bcc - these common errors are no longer unavoidable. Machine learning-powered business rules, specific to the healthcare industry, can read emails while they are being prepared and identify the presence of sensitive data in the body or attachments of emails. This includes personally identifiable information and NHS numbers.
In addition, a not insignificant 15% of non cyber related data incidents in the healthcare sector so far this year were due to loss or theft of paperwork. The NHS, for example, still relies on hardcopy communications today - millions of appointment reminders and patient letters are sent daily. But this is neither efficient or truly secure.
Email is universal and easy to use; employees rely on it above all other platforms. NHS IT teams must take note and leverage every technological opportunity to enhance the security of this vital platform.
After all, there are few other sectors in which the effects of a data leak are quite as impactful as in healthcare. For the NHS, data protection is about people protection. It’s up to IT leaders to empower their employees to proactively secure every digital communication.
Last updated - 19/10/22