Is your enterprise making the same mistakes as the NHS?

The NHS is, and always has been, a shocking example of how information security policy means diddly-squat without proper staff education and more than a little application of the disciplinary stick when breaches occur.

security button on keyboard

COMMENT:While the NHS gets all the bad publicity it deserves as far as lapsidaisical data security policy implementation is concerned, I am not convinced it should be singled out as the pantomime villain on the ITsec stage: sloppy security is behind you. Oh yes it is...

During the last three years, according to a report based around Freedom of Information Act requests made by Big Brother Watch and published over the weekend, there have been more than 800 separate incidents within the NHS whereby patient records have been compromised.

Or, to put it another way, here's an enterprise which has seen data security policy trampled over at least five times per week during a three-year period. It's not that NHS policy is badly drafted in this regard. Indeed, I've had the misfortune to have spent rather a lot of my professional life over the last five years or so studying the principles for information security and the various documents covering data security policy within the NHS produced by Connecting for Health and the Department for Health.

Don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy.

Advertisement - Article continues below
Advertisement - Article continues below

The truth is those policies are perfectly acceptable, no pun intended, and more than fit for purpose in an enterprise of such an octopus like proportion as the NHS (it has arms everywhere). So why, then, did Big Brother Watch discover that there had been, amongst other breaches of policy, no less than 91 cases where NHS staff had inappropriately accessed information about colleagues and 23 cases where NHS staff had inappropriately posted patient data on social networking sites? Or how about the 24 NHS trusts who'd seen confidential data lost or stolen courtesy of breaches of said policy?

I'm using the 'at least' disclaimer here quite a lot, as you may have noticed, as 55 NHS trusts refused to comply completely with the Freedom of Information Act request, and 44 failed to respond at all.

Anyone getting a mental image of an ostrich, rather than the octopus mentioned earlier, and one with its head buried firmly in the sand at this point? I am, although I think that perhaps Big Brother Watch has its own head stuck somewhere else when it states that "despite these breaches of Data Protection policy, just 102 cases resulted in dismissal of staff" as if to suggest that every policy breach should be met with an 'off with their heads' type response.

Quite patently, dismissing everyone involved is not the right approach to dealing with every (or indeed any, for that matter) security policy breach. So what is the correct approach?

It's simple. It requires the ability to step back, let the blood drain from your face and accept that education is key. Not that corporate punishment is to be ignored, but hitting someone with a big stick when they don't truly appreciate what they have done wrong is never going to solve anything. It's akin to trying to cure a decapitation with a sticking plaster: far better to have told the idiot not to stick his head out of the car window on the motorway in the first place...

Where I do agree with Big Brother Watch, and director Nick Pickles, is when it argues that "it is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable". Burying the head in the sand is not big and not clever. It is never going to help make things better.

Advertisement - Article continues below

If you want to avoid becoming the security ostrich of your sector, then it's vital you learn from the mistakes of the NHS, which means you don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy, along with the implementation of appropriate systems to ensure that the policy is being adhered to.

Ensuring appropriate access rights to data is not rocket science these days, nor is effective auditing of your policy in action.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Are you taking enough accountability on cyber security?

18 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020