The UK’s Information Commissioner has ordered the National Health Service to tighten its grip on security, fearing that data protection is a “systemic problem” for its organisations.
Five health NHS organisations have signed recent data security undertakings in response to potential privacy breaches this year caused by staff losing patient records, faxing medical reports to the wrong number, and losing laptops.
Recent incidents such as the loss of laptops at NHS North Central London - which we are currently investigating - suggest that the security of data remains a systemic problem, said Information Commissioner Christopher Graham.
Staff across the nation were accessing millions of records, and there would be occasional human error, but Graham feared the health service’s underlying culture could be placing patient data at unnecessary risk.
While the NHS had data security policies in place, staff simply were not following them, suggesting there was a culture that did not prioritise data security.
“Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number,” he said.
The health sector needed a “cultural change” which encouraged staff to think about how data is stored and disclosed.
The Ipswich Hospital NHS Trust, which misplaced 29 patient records when an employee took them home, has introduced compulsory data protection training for relevant staff.
Two health organisations and an NHS ambulance service have signed undertakings for faxing medical records to the wrong number. One of them, the Dunelm Medical Practice has since programmed its fax machine with numbers for regional branches to avoid a repeat, restricted faxes to exceptional cases and sends “Electronic Discharge Letters” by secure email.