A report published by Big Brother Watch, a privacy campaign group, suggested that confidentiality of NHS records is breached, with patient records being exposed in 800 instances in the past three years by more than 150 NHS trusts.
Medical information is lost, shared on Facebook and NHS staff look at each other’s medical records, it is claimed. According to Freedom of Information Act requests, between July 2008 and July 2011 there were at least 806 separate incidents where patient medical records were compromised, highlighted a shocking number of incidents in the NHS where patient medical records were accessed inappropriately. This included:<br><br> * 23 incidents of patient information being posted on social networking sites<br> * 91 incidents of NHS staff looking up details of colleagues<br> * 24 NHS Trusts saw confidential information stolen, lost or left behind by staff<br> * 44 NHS trusts failed to respond to the Freedom of Information request and 55 Trusts refused to release all or some if the information requested.<br><br>Despite these breaches of Data Protection policy, just 102 cases resulted in dismissal of staff. You can download the report at the BBW website.<br><br>Nick Pickles, director of Big Brother Watch, said: “This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected.<br><br>“The information held in medical records is of huge personal significance and for details to be disclosed, maliciously accessed or lost and these cases represents serious infringements on patient privacy.<br><br>“As the summary care record scheme is rolled out and an increasing number of people have access to private patient information, urgent action is needed to ensure that we can be sure our medical records are safe.<br><br>“It is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable.”<br><br>Speaking at the 10th annual data protection compliance conference in London, Information Commissioner Christopher Graham said data breaches in the NHS continue to be “a major problem”. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40 percent (19) were in the healthcare sector.<br><br>The research follows on from an earlier Big Brother Watch report ‘Broken Records’, which highlighted how more than 100,000 non-medical personnel working in NHS acute trusts in Britain have access to confidential medical records and comes days after the Commons Justice Select Committee argued courts should have the power to punish people breaching the Data Protection Act with prison sentences, saying fines are an “inadequate” deterrent.
Meanwhile Varonis says latest ICO research should act as a wake-up call to IT security. Commenting on research from the Information Commissioner’s Office ICO advising that businesses are waking up to their data protection responsibilities, Varonis says that IT security people need to be aware of the dangers that their data – and in particular, unstructured data – now pose their organisations.
According to David Gibson, director of technical services with the data governance product company, the ICO’s research shows that, while three quarters of businesses know that the (Data Protection Act) DPA requires them to keep their data secure, less than half believe that organisations process their data in a fair and proper manner.
“This tells us that there is a significant gulf between what firms say they believe, and the reality. The reality, of course, is that few businesses have the access control processes or audit capabilities to prove that they are in complete control of their data, and are therefore risking a breach of the DPA,” he said.
“The problem facing IT professionals is a potentially major one, as research has shown that 80 per cent of data in major organisations is unstructured, making the task of knowing who is doing what, when and where with that data all the more difficult,” he added.
And perhaps more importantly from the ICO’s perspective, Gibson went on to say, proving that you know what is happening to your company’s unstructured data is also a lot more difficult—if there are few preventive or detective controls in place there is very little evidence to present. As an example, evidence that a file share is controlled might include a record of the last time access was reviewed on that share, who reviewed it, what decisions they made, and who has accessed which files in the share since the review. Very few organisations have these controls in place.
That’s not to say that the task of auditing and securing unstructured data is impossible, he adds, noting that unstructured data is information that either does not have a pre-defined data model and/or does not fit well into relational tables.
Unstructured information, says the Varonis’ director of technical services, such as spread sheets, presentations, and word processing documents are typically text heavy and often contain personal information. Unstructured data is less predictable that structured data stores (databases), where personal information is likely to be in a designated field. Databases also often have controls and auditing built-in, whereas the native controls on unstructured repositories are usually unavailable or consume too many resources to enable.
“While we welcome the media exposure that the ICO’s latest research into data protection creates, we think it still raises more questions than it answers. People should also note that the ICO also has a vested interest in all of this, as it is still the gatekeeper for everyone’s data,” he added.
“Companies and their IT staff need to wake up and smell the coffee. All data now has a value to someone, and some data has a much higher value than the rest. The real question for most organisations is what systems they have in place to audit their data accesses – and how these systems will be assessed and interpreted by the ICO in the event that a data breach does occur.”
For more on Varonis: www.varonis.com .
For more on the ICO’s research: http://bit.ly
