The UK’s healthcare sector once again accounted for the largest number of data security incidents in Q3 2016, although the charity, education and finance sectors revealed a bigger jump in incidents from the previous quarter, according to the ICO.
The UK’s privacy watchdog claimed in its quarterly review for the period July-September 2016 that reported incidents for healthcare jumped over 3% from the previous quarter.
Data sent by email to the wrong recipient accounted for 25 incidents, while failure to redact data (10) and loss/theft of unencrypted devices (10) were also common errors.
Other reported incidents listed included "cyber incidents" (6), failure to use BCC when sending emails (2) and insecure disposal of hardware (1). The majority of incidents were still linked to poor offline data handling, however, with posting/faxing to incorrect recipient (63) and loss/theft of paperwork (37) topping the categories.
In total, the ICO reported 239 incidents for the period, significantly higher than the next most affected sectors – local government (62) and “general business” (56).
However, it had the following by way of explanation:
“The health sector once again accounted for the most data security incidents. This is due to incident reporting being mandatory, the size of the health sector and the sensitivity of the data processed.”
It’s likely that we’ll get a clearer picture of how well or badly the NHS is doing on data security versus other sectors when the European GDPR comes into force, bringing with it mandatory 72-hour data breach notifications.
It’s notable that, despite lower overall numbers, the volume of incidents in the education (18%), finance (18%) and charity (21%) sectors all grew by more than healthcare.
The ICO advised organizations looking for quick wins to prevent such incidents occurring to disable autocomplete on users’ email address bars – reducing the likelihood of sending emails in error – and to clarify policy so that staff better understand when and when not to use encryption.
Ransomware was a major scourge for the UK’s healthcare organizations in 2016.
Nearly half (47%) of NHS Trusts in England claimed to have fallen victim over the past 12 months, according to an FoI request from NCC Group in August.
In one of the most high profile cases, North Lincolnshire and Goole NHS Foundation Trust’s IT systems were taken offline for several days in autumn 2016 after an infection, forcing some patients to be moved elsewhere.