NHS trust fined for data breach

Jun 14th, 2013 / Category: Managed File Transfer

When it comes to data security, few industries have higher stakes than healthcare. Hospitals, doctors' offices, clinics and other care providers must accumulate and utilize a huge amount of extremely sensitive patient data. If this information is exposed, patients will not only have their privacy violated, but will be vulnerable to identity theft and fraud.

Considering the stakes involved, it is no wonder that organizations in the healthcare industry must meet stringent data protection standards or face fines and other sanctions.

The consequences for healthcare providers that fail to implement satisfactory secure file sharing solutions was recently highlighted by the case of a National Health Service (NHS) trust in Staffordshire, which received a significant fine following a data breach.

Breach costs
For failing to adequately protect its patients' data, the Information Commissioner's Office (ICO) has levied a fine of approximately $86,000 on the North Staffordshire Combined Healthcare NHS Trust. The trust had previously sent sensitive information concerning three patients to the wrong recipients. The information exposed included names, addresses and medical histories.

Critically, the ICO investigation determined that the trust had best practice guidelines in place to reduce the likelihood of data breaches occurring. However, staff members were not adequately trained to follow these procedures.

"Let's make no mistake, this breach was entirely avoidable," explained Sally Anne Poole, ICO's enforcement group manager.

This is a common refrain when it comes to data breaches. In the majority of cases, the breach itself is largely attributable to mistakes or negligence on the part of employees and could almost certainly have been prevented if better policies and practices had been established and maintained in the offending organization.

Improving practices
Somewhat uncommonly for these types of incidents, the method of the breach in the Staffordshire case was a fax machine. Increasingly, hospitals and other healthcare providers are becoming entirely digital in their record keeping, as well as their record sharing.

This trend puts the Staffordshire incident in sharper relief, as it is even easier to mistakenly send an email to the wrong recipient than a fax. This means that those organizations which have embraced electronic medical records (EMRs) need to be even more careful when it comes to data security.

There are two keys to achieving a robust, dependable data protection policy in the healthcare industry. First, firms must invest in the right tools. Organizations need solutions that are dependable and easy to use. That is why firms should look for secure file sharing options that are specifically designed with the end-user in mind. Only by making the tools convenient can healthcare providers ensure that its employees will actually utilize these solutions.

Additionally, healthcare providers need to take the time to ensure that employees receive sufficient training concerning how to effectively use these resources. Without such educational measures, workers will be far more likely to inadvertently cause a data breach.