How to navigate the NHS data protection minefield

Sharing information makes the modern world go around. Digitisation has enabled us to be more informed and connected, providing insight and efficiency across all facets of people’s lives. People want it and they embrace it until their personal or financial information is shared with the wrong people.

The NHS is one of several high-profile organisations last year that suffered data security breaches thanks to vulnerabilities in its IT systems. These crises demonstrate the problem organisations and the public have in balancing the benefits of digitisation against the potential risks.

>See also: Hacking the NHS: leaders fear the widespread loss of patient data

Digitisation holds the key to solving so many of the often reported efficiency failings within the NHS, from communication to managing appointments. The latter is a bone of contention, with patients across the country unable to get through to their surgery and to be seen quickly, and practices hit by high levels of no shows.

Findoc market research conducted with 500 London based patients and healthcare professionals revealed that doctors still manage around 80% of their appointments over the phone, a system that is both inefficient and unpopular with patients. Having to call at 8am to get the appointment they want can be rather like trying to get tickets for the final Rolling Stones concert. While the NHS has been slow to digitise this fundamental area of its service, it has also been hit hard in the areas where it has implemented IT systems.

Two major breaches

The first NHS breach was revealed in March last year when an IT system widely used by GPs was discovered to enable access to patient records by anyone using the same platform. The records of 26 million patients could be viewed by thousands of receptionists, clerical staff and pharmacists in prisons and care homes for example, even if they had no medical reason to review them.

>See also: What does the UK’s Data Protection Bill mean for businesses?

The second breach, in May 2017, involved the WannaCry ransomware that struck numerous organisations, but none more significantly than the NHS. The cyber attack encrypted enterprise data, disrupting operations which led to cancelled appointments, diverted patients and suspended A&E departments.

The impact

From a patient perspective, both events are damaging. Having one’s confidential medical data open to virtually anyone is devastating, while the chaos brought by infected systems caused at least inconvenience, at worst life-threatening situations. For the NHS, reputation and financial costs are at stake.

>See also: NHS prioritising cyber security to improve patient care and trust

According to The National Audit Office (NAO), it was not just the cost of restoring data and systems affected by the Wannacry attack, but rescheduling appointments; additional IT support, overtime worked by NHS staff to resolve problems and to prevent a fresh wave of organisations being further affected. A cost that neither the Department of Health nor NHS England has since been able to calculate, underlining the lack of visibility in the organisation.

An easy target

The reason these breaches hit the NHS so hard is that its trusts had done little to maintain legacy software used at clinics and hospitals. The NAO also reports that there was no assessment of localised procedures for cyber attack prevention.

The attack could have been prevented by the NHS following basic IT security best practice. NAO head Amyas Morse put it bluntly: “the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

Getting with the right regs

This has become even more urgent, with the General Data Protection Regulation (GDPR). NHS departments will be obliged to analyse their digital functions, including processes for the storage, security, portability and identification of patient data. Any digital technology implemented must ensure compliance and offer an increased level of business intelligence.

>See also: Top 5 biggest challenges for digital transformation in the NHS

Data breaches must be reported to relevant authorities within 72 hours. All NHS organisations and local authorities which provide social services are already obliged to have a Caldicott Guardian, a senior role responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. They will now also be required to employ a Data Protection Officer, which adds essential IT capability to the role.

No mean feat

Data management and cyber security in an estate as complex as the NHS is no easy task: no other organisation has so many sites, partners and stakeholders. Despite the serious consequences of data breaches, the benefits of sharing information between healthcare practitioners, such as GPs and the local hospital are obvious: the ability to share medical notes amongst practitioners can potentially save lives.

The post-GDPR landscape presents an opportunity for the NHS to digitise properly, from gathering, storing and sharing critical information securely to analysing data intelligently.

Healthcare practices must have a crystal clear data trail and be certain their IT partners are 100% compliant, then they can go forth and share the benefits of digitisation with patients.


Sourced by Xavier Bernal, founder, Findoc

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...