NHS: No Hope Security?

gallery

The National Health Service (NHS) is renowned for its poor record when it comes to security breaches. Unencrypted laptops and USB sticks end up in the strangest of places, not through pure stupidity, but due to a lack of understanding of security and no one seemingly taking charge of putting security policies in place.

The Information Commissioner’s Office (ICO) regularly deals with such cases – including the recent breach which saw a laptop with 8.6 million medical records go walkabout – and even it seems to have lost its temper when it comes to this particular matter.

Last year, deputy commissioner David smith claimed the NHS was responsible for a third of all reported data breaches in the UK.

But last week, the head of the ICO, information commissioner Christopher Graham, announced a further crack down to try and force the NHS to solve the “systematic problem” of data breaches and overall security.

“The policies and procedures may already be in place but the fact is that they are not being followed on the ground,” he said. "Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.”

He added: “The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature.”

Make a difference?

Standing up and admitting the NHS is such a problem, as well as vowing to crack down on the system, has won Graham wide-spread praise from the security industry. But will a more forceful ICO be the answer to all its security issues?

Rik Ferguson, director of security research at Trend Micro, pointed out there had already been a mandatory roll-out of endpoint encryption across the NHS but unencrypted devices were still being picked up at bus stops and car parks.

He claimed it was “tough to say” if Graham’s plans will hold much weight as it depends on the motivation to stay secure.

“If it is the accomplishment of rolling out a comprehensive and successful data protection programme, encompassing data security policies, encryption, data-leakage prevention, network and endpoint protection and, importantly, training then the teeth of the ICO should provide very little encouragement,” he said.

“However if it’s more driven by the avoidance of financial penalty and bad PR then, of course, it will help.”

Clive Longbottom, founder of analyst firm Quocirca, said the ICO attempting to show its teeth would make no difference whatsoever.

“A fine to the NHS is just charging the taxpayer,” he told IT Pro. “Therefore, there is no real emphasis on driving such change.”

He suggested “true accountability” for either individuals or systems integrators was key to driving the change, as people or companies would be much keener to ensure everything was secure if they themselves were responsible.

Email to a friend

Print this page