The British healthcare system experienced 2447 incidents and accounted for 43% of all reported incidents between January 2014 and December 2016.
According to data received from the Information Commissioner's office and analyzed by Egress Software Technologies, the number of incidents rose by 20% compared to the previous time period from 184 incidents in the last quarter of 2014, to 221 in the last quarter of 2016.
“Following the WannaCry exploit, the vulnerability of the healthcare industry, and the critical importance of improving its cybersecurity, has come into sharp focus,” said Tony Pepper, CEO and co-founder of Egress Software Technologies. “While it’s clear there is a security problem in healthcare, these figures show that it is as much about internal activity as external threat.”
The incidents were attributable to: theft or loss of paperwork (24%), data faxed or posted to incorrect recipient (19%), data sent by email to incorrect recipient (9%) and failure to redact data (5%).
Rowenna Fielding, data protection lead at Protecture, told Infosecurity that she felt it was a stretch to say that the UK health sector suffered a "disproportionate number of data breach incidents" just because the reports for this sector are highest, as this is the only sector which has a mandatory duty to self-report incidents and takes that duty seriously.
“In fact, high self-reporting levels indicates a culture that recognizes both when incidents happen, and that some kind of action should be taken in response, which is desirable,” Fielding said. “Anecdotally, I have seen – and heard of – the same types of incident occur frequently and widely across a number of other sectors, including financial, voluntary, retail and education which reinforces my suspicion that the figures are skewed.
“I believe that the mandatory breach reporting requirement that GDPR brings in will make a significant difference to the distribution of reporting figures and result in the health sector being less disproportionately featured. Whether other sectors will be revealed to have even higher levels of incidents remains to be seen.”
Jon Baines, Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO) said that the NHS Information Governance Toolkit, under which NHS bodies are required to assess their information governance, makes it a mandatory requirement to report serious data security incidents and except for telecoms, no other sector is required to report itself to the ICO.
He said: “Given this, it is no surprise whatsoever that health bodies consistently top this table. This is not to defend bad data security practices of course – and the research does suggest that there are some repeated examples of very poor practice which the NHS should aim to train out of its workforces.
“It is worth noting that the ICO have not fined an NHS body for a data protection breach since last August (when Regal Chambers Surgery was fined £40,000), during which time they have served fines on councils, police, charities and private sector organizations – on that metric, it might well be argued that the ICO is not performing as badly as the research initially suggests.”
Fielding said that the health sector faces particular challenges in regard to the handling of information which other sectors such as retail, commercial services and utilities are not as much impacted by. “The need to exchange large volumes of confidential data across multiple channels with external organizations who have varying levels of technological maturity means that there is an environment in which controls are less likely to be standardized and confusion or mistakes are common.”
Pepper added: “What the information from the ICO makes clear is that all businesses need to do more to better protect sensitive information. Meeting this challenge requires a combination of improved employee training and the communication of risks, and the deployment of the right technologies to minimize the number opportunities available for human error to take hold.”