It seems like every week news breaks of a fresh health service data breach. In mid-April 2012, a London healthcare trust admitted to losing two unencrypted memory sticks that contained sensitive data relating to 600 maternity and paediatric patients. In a separate incident on the same day, it transpired that an IT provider had accidentally sent the details of 600,000 NHS patients to the US.
Such incidents are not unique to the UK. In the US, hackers stole the social security numbers and personal details of 780,000 patients from the Utah Department of Technology Services – a weak password was blamed. The legal community is also paying close attention to data security.
In California, where breaching the Confidentiality of Medical Information Act can result in damages of $1,000 for each violated individual, law firms are examining the possibility of launching privacy-data breach, class-action lawsuits against medical service providers. This could prove incredibly damaging to healthcare bodies in the state.
One has to be careful not to jump to conclusions. Press hyperbole can make these stories seem more numerous and serious in nature than they actually are. The case of the lost memory sticks was solved, with neither believed to have fallen into the wrong hands. Still, such incidents are an embarrassment for healthcare providers, and a source of constant frustration for regulators and government commissions.
Data loss in healthcare
Founded in 1984, the UK’s Information Commissioner’s Office (ICO) is an independent public body, funded by the UK Ministry of Justice, with a broad mandate to ‘uphold information rights in the public interest, and promote openness by public bodies and data privacy for individuals’.
Healthcare, education and local government are covered by the same branch under the Public Services Strategic Liaison Group. According to its head, Dawn Monaghan, the loss of data stored on electronic and mobile devices is a growing concern in the healthcare segment.
"When it was just manual records, people like general practitioners and midwives would keep the record in a particular place, retrieve it and put it back – there was a process to be carried out," she explains. "With mobile devices, people almost forget the data is on there and that when they press a button they could be sharing it with God knows who. I wouldn’t say the seriousness of breaches has increased, but the frequency has."
Monaghan’s team keeps a close eye on any legislation or initiative that might have an impact on data security or freedom of information. It then looks to engage with all the relevant parties, be they medical associations, unions or government departments, to ensure that they are ready to handle the changes. The move to electronic data storage has thrown up a host of problems.
"If you could anonymise data, where patients are listed by code and not name, it is OK," says Monaghan. "It’s not as good as encryption but, if you are only anonymising, the chances are it won’t be sensitive personal data anyway. There is a training issue though, particularly with smaller providers. They often don’t understand the difference between password protection and encryption. They think a password is fine, then the computer gets lost and they find that a 12-year-old has accessed it."
This problem is likely to get worse in light of recent organisational changes. There is a Department of Health (DoH) mandate in place obliging medical professionals to self-report any data breaches that come to their attention. Many argue that this paints a much more accurate, hence uglier, picture of data security in the NHS compared with other public bodies that aren’t required to speak up. This rule does not yet apply to the increasing number of peripatetic bodies being brought under the NHS umbrella.
"An incident occurred recently that was quite enlightening," says Monaghan. "Somebody had a laptop stolen containing sensitive personal data. And because it was a private provider, there was financial data on there as well. They did not know about the Data Protection Act or who we were. So, instead of contacting us, they rang the BBC and said, ‘Can you help us by putting out a public announcement?’ They had been incredibly incompetent, but at least they realised it might be a problem. You wonder how many there are out there that don’t know about the ICO."
Data security monitoring
This also raises questions about data breaches that take a different form. Monaghan wonders whether the reason that so many reported breaches involve lost devices is that such instances are simply easier to detect. Many people still fax sensitive documents instead of transmitting them through more secure gateways such as the NHS.net wide area network. Cases of unauthorised or unlawful access are much more likely to slip under the radar, often due to insufficient oversight.
"Some organisations are getting very good at this and have brought in IT companies to do audits," says Monaghan. "They know where emails are being sent and who is signing in where. But not everyone is as well prepared; for example, junior doctors have smartcards to access online records. Once they are done, they should log out. As this process takes some time, often one doctor will log in at the start of the day and just stay logged in. Things like that are relatively easy to monitor – some do and some don’t."
The reasons for a lack of security consciousness go back to the formative stages of medical education. Students are well versed in the importance of confidentiality – it is no longer commonplace to hear two doctors discuss a case out loud, yet data protection gets only a passing glance. In Monaghan’s view, the subject of data security tends to be perceived as boring by medical students and junior doctors.
The message needs to be put across in a more memorable way at undergraduate level; for example, through debates or role-play scenarios. Often in the workplace, only cursory on-the-job training is provided – enough to justify a tick in the box.
"We’ve had breach cases where the hospital has blamed it on a maverick member of staff," Monaghan explains. "They say, ‘We’ve got all the policies and procedures in place and we’ve all completed online information governance training’. That’s great, but it’s not the panacea as it doesn’t cover the specifics of your department. We understand that self-reporting will lead to a bigger number of breaches. But even though we are identifying problems, the numbers still aren’t going down."
Primary care trusts’ attitude
This issue has been exacerbated by the clustering of primary care trusts (PCTs), the result of a government push to reduce waste. These clusters consist of up to six PCTs, but as yet do not count as legal entities in their own right. Consequently, each cluster contains a number of data controllers, all with different views on how things should be done and each with responsibility for their own area.
"We’ve heard anecdotally how this sometimes works," says Monaghan. "There might be one PCT that’s monitoring the use of email, and who checks in and out. But the chief executive heading up the cluster comes from a different PCT and doesn’t see the necessity of being, as they see it, overly bureaucratic. All six end up as bad as each other."
It is clear that a strong, uniform framework is necessary to govern data security, a need exacerbated by the gradual move towards electronic medical records. Further organic development will surely lead to greater weakness. Some believe that introducing harsher punishments for unauthorised access or forgetting to encrypt data can whip the industry into shape. Monaghan sees stronger enforcement as a positive step, but is sympathetic of arguments to the contrary.
"The problem with such frameworks is they tend to be very rigid," she says. "The guidelines that go with them could prop a door open so they fall into disrepute very quickly. The police has an upfront policy that states if you breach security you will be sacked. In the health service, they are more likely to say, ‘we do have a policy, but this is the first time… just don’t do it again’. People always say – and it’s a valid point – that such a policy would make people more reticent to come forward under a self-reporting system. But a harsher policy would send out the right message."
The move towards online medical records will take up a lot of the ICO’s time over the medium term. The project is especially complicated, raising ethical as well as security-related questions.
Will having access to detailed medical records, often going back as far as childhood, actually be detrimental to the patient?
The organisation has been involving itself with pilot projects in the region to try and ensure a national information framework is in place from the very beginning. The continued increase in the use of mobile devices will also require a major rethink.
"You are never going to take out that human element," says Monaghan. "Mobile devices will get lost and stolen, so you have to ensure complete security. It will involve working with technologists on encryption methods and ways to delete information virtually. A growing number of self-reported breaches today are associated with mobile devices, as well as insufficient decommissioning of data when it is no longer needed. Solving these problems won’t be easy."
Reducing the number of data breaches will require a new culture of awareness, which could take years to foster. At the same time, we have seen attitudes towards confidentiality change considerably over the past decade. There is no reason to believe that a similar transformation can’t happen again.