Is your enterprise making the same mistakes as the NHS?

The NHS is, and always has been, a shocking example of how information security policy means diddly-squat without proper staff education and more than a little application of the disciplinary stick when breaches occur.

security button on keyboard

COMMENT:While the NHS gets all the bad publicity it deserves as far as lapsidaisical data security policy implementation is concerned, I am not convinced it should be singled out as the pantomime villain on the ITsec stage: sloppy security is behind you. Oh yes it is...

During the last three years, according to a report based around Freedom of Information Act requests made by Big Brother Watch and published over the weekend, there have been more than 800 separate incidents within the NHS whereby patient records have been compromised.

Advertisement - Article continues below

Or, to put it another way, here's an enterprise which has seen data security policy trampled over at least five times per week during a three-year period. It's not that NHS policy is badly drafted in this regard. Indeed, I've had the misfortune to have spent rather a lot of my professional life over the last five years or so studying the principles for information security and the various documents covering data security policy within the NHS produced by Connecting for Health and the Department for Health.

Don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy.

Advertisement - Article continues below

The truth is those policies are perfectly acceptable, no pun intended, and more than fit for purpose in an enterprise of such an octopus like proportion as the NHS (it has arms everywhere). So why, then, did Big Brother Watch discover that there had been, amongst other breaches of policy, no less than 91 cases where NHS staff had inappropriately accessed information about colleagues and 23 cases where NHS staff had inappropriately posted patient data on social networking sites? Or how about the 24 NHS trusts who'd seen confidential data lost or stolen courtesy of breaches of said policy?

Advertisement - Article continues below

I'm using the 'at least' disclaimer here quite a lot, as you may have noticed, as 55 NHS trusts refused to comply completely with the Freedom of Information Act request, and 44 failed to respond at all.

Anyone getting a mental image of an ostrich, rather than the octopus mentioned earlier, and one with its head buried firmly in the sand at this point? I am, although I think that perhaps Big Brother Watch has its own head stuck somewhere else when it states that "despite these breaches of Data Protection policy, just 102 cases resulted in dismissal of staff" as if to suggest that every policy breach should be met with an 'off with their heads' type response.

Quite patently, dismissing everyone involved is not the right approach to dealing with every (or indeed any, for that matter) security policy breach. So what is the correct approach?

It's simple. It requires the ability to step back, let the blood drain from your face and accept that education is key. Not that corporate punishment is to be ignored, but hitting someone with a big stick when they don't truly appreciate what they have done wrong is never going to solve anything. It's akin to trying to cure a decapitation with a sticking plaster: far better to have told the idiot not to stick his head out of the car window on the motorway in the first place...

Advertisement - Article continues below

Where I do agree with Big Brother Watch, and director Nick Pickles, is when it argues that "it is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable". Burying the head in the sand is not big and not clever. It is never going to help make things better.

If you want to avoid becoming the security ostrich of your sector, then it's vital you learn from the mistakes of the NHS, which means you don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy, along with the implementation of appropriate systems to ensure that the policy is being adhered to.

Ensuring appropriate access rights to data is not rocket science these days, nor is effective auditing of your policy in action.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020