Is your enterprise making the same mistakes as the NHS?

The NHS is, and always has been, a shocking example of how information security policy means diddly-squat without proper staff education and more than a little application of the disciplinary stick when breaches occur.

security button on keyboard

COMMENT:While the NHS gets all the bad publicity it deserves as far as lapsidaisical data security policy implementation is concerned, I am not convinced it should be singled out as the pantomime villain on the ITsec stage: sloppy security is behind you. Oh yes it is...

During the last three years, according to a report based around Freedom of Information Act requests made by Big Brother Watch and published over the weekend, there have been more than 800 separate incidents within the NHS whereby patient records have been compromised.

Or, to put it another way, here's an enterprise which has seen data security policy trampled over at least five times per week during a three-year period. It's not that NHS policy is badly drafted in this regard. Indeed, I've had the misfortune to have spent rather a lot of my professional life over the last five years or so studying the principles for information security and the various documents covering data security policy within the NHS produced by Connecting for Health and the Department for Health.

Don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy.

Advertisement - Article continues below
Advertisement - Article continues below

The truth is those policies are perfectly acceptable, no pun intended, and more than fit for purpose in an enterprise of such an octopus like proportion as the NHS (it has arms everywhere). So why, then, did Big Brother Watch discover that there had been, amongst other breaches of policy, no less than 91 cases where NHS staff had inappropriately accessed information about colleagues and 23 cases where NHS staff had inappropriately posted patient data on social networking sites? Or how about the 24 NHS trusts who'd seen confidential data lost or stolen courtesy of breaches of said policy?

I'm using the 'at least' disclaimer here quite a lot, as you may have noticed, as 55 NHS trusts refused to comply completely with the Freedom of Information Act request, and 44 failed to respond at all.

Anyone getting a mental image of an ostrich, rather than the octopus mentioned earlier, and one with its head buried firmly in the sand at this point? I am, although I think that perhaps Big Brother Watch has its own head stuck somewhere else when it states that "despite these breaches of Data Protection policy, just 102 cases resulted in dismissal of staff" as if to suggest that every policy breach should be met with an 'off with their heads' type response.

Quite patently, dismissing everyone involved is not the right approach to dealing with every (or indeed any, for that matter) security policy breach. So what is the correct approach?

It's simple. It requires the ability to step back, let the blood drain from your face and accept that education is key. Not that corporate punishment is to be ignored, but hitting someone with a big stick when they don't truly appreciate what they have done wrong is never going to solve anything. It's akin to trying to cure a decapitation with a sticking plaster: far better to have told the idiot not to stick his head out of the car window on the motorway in the first place...

Where I do agree with Big Brother Watch, and director Nick Pickles, is when it argues that "it is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable". Burying the head in the sand is not big and not clever. It is never going to help make things better.

Advertisement - Article continues below

If you want to avoid becoming the security ostrich of your sector, then it's vital you learn from the mistakes of the NHS, which means you don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy, along with the implementation of appropriate systems to ensure that the policy is being adhered to.

Ensuring appropriate access rights to data is not rocket science these days, nor is effective auditing of your policy in action.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Are you taking enough accountability on cyber security?

18 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020