The NHS has been told that it needs to improve data security from a tech, governance and training perspective ahead of two new reviews set to land in the coming year.
Under-fire health secretary, Jeremy Hunt, claimed the NHS hasn’t yet reassured the public it can safely handle data – since he announced the reviews last autumn, according to The Times.
The Care Quality Commission is currently reviewing data security standards across the health service, and will report in January 2017. US healthcare expert Robert Wachter is reviewing the digital future of the NHS.
NHS organizations continue to be found wanting when it comes to secure data handling.
Just this month, Blackpool Teaching Hospitals NHS Foundation Trust was hit with a £185,000 fine from the ICO after accidentally publishing highly sensitive and confidential data about its employees.
Also, Chelsea and Westminster Hospital NHS Foundation Trust received a £180,000 penalty for revealing the email addresses of hundreds of patients with HIV.
Back in 2012, Brighton and Sussex University Hospitals NHS Trust had the dubious honor of receiving the biggest ever ICO fine to date – £325,000 – after being unable to explain why hundreds of disks containing highly sensitive patient information ended up being sold on eBay.
Zak Suleman, healthcare specialist at Smoothwall, argued it is correct that the health secretary is focusing not only on technology but user education and governance.
“Ensuring a strong security culture is instilled throughout the NHS workforce is vital to ensure staff are constantly vigilant and aware of the threats. As the proliferation of cyber-attacks becomes more frequent, advanced and sophisticated, it is now not about if an attack happens, but when,” he added.
“As a result, security needs to be taken seriously at all points of the organization, to ensure that all employees understand the risks of their actions and know the security processes in place should an incident occur to mitigate the risks."
Cris Thomas, strategist at Tenable Network Security, added that the challenges facing the NHS are “immense” thanks to rapidly evolving technology and an ever shifting threat landscape.
"To eliminate security blind spots the NHS, and all public sector departments for that matter, need to achieve continuous visibility across all systems and devices. Visibility is not just about periodic scans; it’s a full-time endeavor to provide a comprehensive, real-time view into the security posture,” he explained.
“Attackers are attempting to infiltrate networks all the time, so a complete inventory of all network devices and applications — including rogue devices, shadow IT, and virtual systems — is the first requirement for a strong enterprise security program.”