NHS data security: Lessons to be learned

The NHS does not always provide a trusted repository for patient data, but some trusts are examples of good practice in action

The NHS should provide a trusted repository for patients’ personal data – but, sadly, this is not always the case. The past few years have seen numerous examples of NHS organisations losing data, sending it to the wrong place and otherwise treating it in a less than secure way.

The problems extend across the UK’s public healthcare services, which are run by the Department of Health in England and the devolved governments in Scotland, Wales and Northern Ireland. 

February saw North Tees and Hartlepool NHS Foundation Trust in north-east England ticked off by data protection regulator the Information Commissioner’s Office (ICO) for a number of incidents, mainly involving paper records.

“One incident involved the discovery of a folder containing highly sensitive personal data at a bus stop by a member of the public, while most of the other cases related to letters, notes and reports containing patient data being sent to the wrong recipients,” said the ICO in an enforcement notice that requires the trust to review its policies and put an action plan in place.

In 2014, the ICO took similar action against NHS Grampian in Scotland following six data breaches over 13 months, in which paperwork including sensitive personal data was abandoned in public areas of its hospital – and, in one case, a local supermarket. 

Read more about data security in the healthcare sector

  • The Information Commissioner’s Office now has the right to audit NHS authorities to ensure they comply with the Data Protection Act.
  • Big Brother Watch calls for better health data security after a study reveals NHS suffers an average of six data breaches a day.
  • NHS England’s own risk analysis says Care.data system could undermine patient confidentiality.
  • Proposed changes to EU data protection law could obstruct NHS plans for seamless data integration across GP surgeries and hospitals.

The regulator also criticised north Wales’s Betsi Cadwaladr University Health Board for sending eight letters about patients to just one of the people affected, when they all should have gone to a GP surgery. The employee who made the mistake had received no data protection training.

Compulsory audit

As a result of the NHS’s poor reputation for handling data securely, in February 2015 the ICO gained the power to force any public healthcare organisation to a compulsory audit, the extension of a power that previously applied only to central government.

But it is not a power it expects to use often, says Louise Byers, the ICO's head of good practice. “We usually ask for consent before imposing an order,” she says. “We have spoken to a number of NHS trusts about an audit in the [2015/16] financial year, and so far all have consented. We always want to engage with people constructively.” 

Byers says the ICO would force an audit only if an organisation refused a voluntary one and appeared to be risking non-compliance with information law. But it is a useful option to have, she points out. “Having the power incentivises organisations.”

So why has healthcare been singled out for attention? “We wanted to improve public confidence,” says Byers. “We have received a high number of complaints about NHS organisations and, through audits, we have identified a number of areas where practice can be improved. The NHS is a good area for the ICO to focus its efforts.” 

We have received a high number of complaints about NHS organisations and, through audits, have identified a number of areas where practice can be improved

Louise Byers, ICO

Byers adds that in a consultation run by the Ministry of Justice, the vast majority of responses from the NHS supported the ICO's new powers.

Common data breaches

Kai Winterbottom, the ICO’s group manager for good practice, says the most common data breaches in NHS organisations include personal data being posted or faxed incorrectly to individuals or third parties; the loss and theft of paperwork; emails being sent to the wrong recipients; loss and theft of unencrypted devices; and a failure to redact third-party data in documents before their release.

Some of these incidents are linked to the fact that the NHS continues to make substantial use of paper records, despite health secretary Jeremy Hunt directing the English health service to move towards paperless status. 

“It is important to understand that NHS trusts are extremely large and complicated organisations, with thousands of staff in multiple sites,” says Winterbottom. 

“They have to be quite open environments, as the public need access and the NHS is still quite heavily reliant on paper. It helps if organisations know what data they hold and where it is, ensure staff have an awareness of security and receive regular training, and that there are clear guidelines on taking records off-site.”

Winterbottom does not think a switch from paper to digital automatically solves security issues – but, if done with due regard to data protection, it can make a significant contribution. He mentions a trust that has issued community-based staff with fully-encrypted laptops to use on the road, asset-tagged and accessing trust systems through a virtual private network. 

As well as providing secure access to systems, the arrangement allows staff to spend more time with patients and less in the office, where they would previously have collected and returned paper records. 

There are risks with digitisation of records. The ICO recommends organisations should conduct a privacy impact assessment

Kai Winterbottom, ICO

“That is an example of how technology can be used by a trust to mitigate the risks of paper-based records and improve the delivery of frontline care,” says Winterbottom. 

“There are risks with digitisation of records. The ICO recommends that organisations should conduct a privacy impact assessment.” 

Staff training vital

Staff training is also vital. Other good practice includes enforced, regular changes of passwords and control of USB device usage, both of which Winterbottom describes as “fairly easy wins”. He also recommends a consideration of data protection at board level, in policy changes and in new projects.

The ICO also sometimes identifies NHS organisations that are doing good work, and two that were singled out last year were Solent NHS Trust, which provides community and mental health services in Hampshire, and Plymouth Hospitals NHS Trust. Both have implemented a range of measures to improve information governance.

This includes measures around printing. Plymouth Hospitals moved to a managed print service in 2012, in which staff use a key fob and a PIN to retrieve their printing. “This was primarily a cost-saving initiative, but the trust also realised benefits in the reduction of governance incidents associated with misdirected printing,” says Lee Budge, director of governance at the trust.

Solent’s information governance manager, Sadie Bell, says the trust is about to implement personal identification numbers (PINs) for printing. “This eliminates the risk of someone else collecting personal or confidential printing and information being placed at risk,” she says. 

And although Solent still holds some paper records, most information is held in an electronic patient health record that requires a smartcard for access, with levels of access based on an individual’s role.

All staff have to complete an online annual information governance refresher course

Sadie Bell, Solent NHS Trust

Plymouth is also moving to reduce its paperwork, with some departments planning to move to digital case notes later this year or early in 2016. 

“This has been supported by a complete upgrade of the trust’s datacentres and investment in single sign-on and client-side technology to ensure clinical staff can access systems quickly, reliably and at the point of care,” says Budge. 

Restricts use of USB devices

The trust also restricts the use of USB devices, allowing only designated encrypted ones; secures iPads and the like with a centralised mobile device management system; and is bringing in a virtual clinical desktop, so clinical data is not held on mobile devices.

Training is another important element of securing information, according to Solent's Bell. “All staff have to complete an online annual information governance refresher course,” she says. “Some 95% of staff are trained every year and the target is closely monitored by the trust’s board. We also target and support specific areas within the trust, tailoring training at a service level.” 

Read more about how NHS trusts are managing patient data

  • The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment.
  • The Royal Free London NHS Foundation Trust has digitised patient records as part of modernisation programme.
  • South Warwickshire has rolled out an electronic patient record system from IT services firm CSC as it moves away from paper records.
  • BT and CSE Healthcare roll out RiO electronic patient record system to 62 community and mental health trusts.

Each of Solent’s eight service lines has its own information governance representative.

Plymouth Hospitals includes information governance in its corporate induction, annual updates and junior doctors’ training. “An hour-long seminar is used to discuss various scenarios and the consequences of data breaches,” says Budge. It also reminds staff of the issue through newsletters, daily emails, posters and even screensavers.

Budge says incident management is an important aspect of protecting information, with the information governance team checking all incidents reported across the trust. “Incidents are scored and serious incidents require a formal root cause analysis report,” he says. “The area where the breach occurred is always involved in this report and is therefore involved in identifying the learning.” 

Plymouth Hospitals requires a manager from the relevant department to inform anyone whose data has been wrongly disclosed, and reports serious breaches to the ICO.

Culture of openness

“We have worked hard to promote a culture of openness and transparency in reporting and responding to information governance issues,” says Budge. “We see this as the critical first step in ensuring that we learn from our mistakes, rather than blame people for them. In doing this, we ensure that staff take ownership for identifying and implementing the actions required to address the root causes of incidents. 

We have worked hard to promote a culture of openness and transparency in reporting and responding to information governance issues

Lee Budge, Plymouth Hospitals NHS Trust

“In the past, too many incidents were put down to human error and no further action was taken, so we now ensure that staff understand the consequence of poor data handling, patients are sent an apology and, above all, patient care is not compromised.”

Bell says Solent NHS Trust has the ability to lock down and restrict certain information at a patient’s request. “While this is more common in mental health services, the functionality is available to all services and patients,” she adds.

Bell says the trust benefits from continuous monitoring and improvement of its information governance arrangements, and has champions in each service to check things are working and to raise specific concerns. 

“Analysis of service line activity and data flows is undertaken quarterly to assess areas of good compliance, so that best practice can be shared,” she adds.

Read more on Privacy and data protection

Data Center
Data Management