Patients, Users & Beyond

Patients, Users & Beyond

Combating the information security problem in healthcare – why a culture change could be the antidote


Ian Osborne, Vice President UK & Ireland for world-leading information security company Shred-it, discusses how the healthcare sector can protect itself against privacy breaches and what good data protection looks like

The Hippocratic Oath, an oath historically taken by physicians, has the obligation of patient confidentiality at its heart. While we live in an entirely different world to the one in which this oath was drafted, patient confidentiality has remained a key pillar of our healthcare services. That said, the rapid proliferation of technology has led to a rise in the amount of information hospitals and medical practices need to deal with. Struggles to keep up with the change have resulted in persistent reports of data breaches in the industry.

For example, research by the Ponemon Institute revealed that UK organisations reported an average of 22,800 data breaches in 2017, with the sector-wide study revealing that healthcare was the worst hit. A closer look at the breaches in the sector indicates that many occurred because of a failure to follow the fundamentals of safeguarding data privacy and security – most data breaches are not down to organised criminal gangs making use of malware but rather to people not following the basic steps required to keep confidential information secure.

Simple mistakes with serious consequences

This is especially true within the healthcare sector. One of the major problems has been that many people simply aren’t aware of what constitutes personal data, so procedures such as leaving emails open or haphazardly discarding medicine bottles are commonplace. Furthermore, there have been information breaches including an X-ray report being found in a department store, a cancer patient’s chart left on the roof of a car, and a child’s mental health records accidentally faxed to a financial institution. From GP practices and dental surgeries to independent pharmacies and out-of-hours medical services, the disposal of confidential information has been random – data protection simply hasn’t been topping the sector’s agenda.

By today’s standards, this is an unacceptable way to manage confidential and sensitive information. Never has a clearer understanding of and compliance to new legislation such as the GDPR been more important. There are the financial implications to consider in terms of penalties – Bupa was recently fined £175,000 when an employee stole thousands of customers’ data and tried to sell them on the dark web – while the loss of patient trust not only has financial consequences but causes reputational damage as well.

What does good data protection look like?

Securing patient data is no longer a matter of simply ticking boxes and following processes. Taking comprehensive steps to reduce the risk is just as – if not more – important. Today, standards are clearly moving towards a model where the sector needs to be able to review who can access certain types of information, understand what is appropriate or inappropriate and continuously evaluate the controls that underpin a data protection strategy – all in real-time. An annual risk assessment is no longer enough.

Ian Osborne

It is also becoming increasingly clear that a culture change is required, something that the GDPR is helping to embed. Training healthcare staff on what form sensitive information could take and how to protect and securely dispose of this data is key to ensuring there is a comprehensive understanding of information held and how it is used.

Once there has been a full review of what data is held and for what purpose, practitioners then need to think about how to store, use and eventually destroy this data securely. Successful methods of destruction include storage in locked consoles ready to be shredded, degaussing for hard drives, and contracting a GDPR-compliant data destruction company who will provide a Certificate of Destruction after each removal.

Compliance with GDPR rules has many benefits, uppermost of which is peace of mind. In addition, by going through the steps to ensure organisations are abiding by the regulations, secondary benefits such as better data management, stronger protection against loss or theft of information and increased patient loyalty due to trust will give the sector a chance to excel. While no one can deny that compliance is hard work, it is also an opportunity to do more than just the bare minimum and to utilise the benefits and competitive differentiation a new business culture can bring.

About the author

With well over 100 years experience between us, we've been around the editorial and medical blocks a few times. But we're still as keen as any young pup to root out what's new and inspiring.

Expert Insight

The European public-procurement opportunity: delivering value in medtech

The magic of innovation: Interview with Billy Cohn, MD

The MedTech Roadmap: a medical device’s journey from concept to market

An introduction to Beth Susanne – international pitch coach

Be first to know

Key resources


You're the expert! Write for The Engine or share your articles, papers and research

Add your content

Add your content

Keep informed

Sign up for Ignition, our regular, ideas-packed newsletter

Sign in with social media

or with a username