The NHS is currently facing one of its toughest challenges since the UK’s publicly-funded healthcare system was set up in 1948 – to stay public, or go private…that is the question.
Those in favor of going private will be all over the latest data debacle to emerge, with a study showing that patients’ personal details are ending up on Facebook and other social networks. Indeed, the report found that confidentiality of NHS records is breached five times a week.
Big Brother Watch, a UK-based civil liberties organization, placed a freedom of information request and it has reported that there were more than 800 confidentiality breaches in the past three years, across more than 150 NHS trusts. One such incident, at the Nottingham University Hospital NHS Trust, resulted in a member of staff being dismissed after posting a picture of a patient on Facebook.
The data request identified 23 incidents where NHS staff had posted confidential medical data on social networking sites, either mentioning a patient’s name, commenting on them or sharing details from their records.
Furthermore, there were more than 90 incidents where NHS staff had accessed or used private medical information of their colleagues, whilst there were more than 30 incidents where they looked up relatives on their internal databases. Their actions led to a total of 102 NHS staff being sacked.
Nick Pickles, director of Big Brother Watch, said:
“This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected. Urgent action is needed to ensure that we can be sure our medical records are safe. It is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable.”
These findings come hot on the heels of the Commons Justice Select Committee, and the Information Commissioner Christopher Graham, announcing that tougher action was needed so that those who broke data protection laws could be jailed.
Simon Burns, UK Health Minister, said:
“We have issued clear standards and guidance to the NHS about what needs to be done to keep patient records secure and confidential. Individual NHS organisations are responsible for ensuring their staff understand and follow that guidance.”
Whilst it seems that tougher punishments for those that do breach data laws could be the best way to help prevent such incidents, it’s probably time for some perspective here. With 1.7m employees, the NHS is one of the world’s largest employers – whilst there’s no excuse for staff posting confidential information on social networks, 23 incidents over 3 years doesn’t suggest that it’s endemic – and remember, that 102 dismissals were made across the total 800 incidents.
You can see the full report for yourself here, you’ll note that a large percentage of the incidents didn’t involve patients at all. However, you’ll also see that a lot of the data breaches include things like ‘losing unencrypted memory sticks’.
With that in mind, it’s probably worth noting that where there’s humans involved, data is never 100% secure. As we reported back in June, the US Govt. planted USB sticks in parking lots of government buildings as part of a security study, with 60% of the subjects taking the bait and infecting their machines. Mark Rasch, a network security specialist, said at the time: “There’s no device known to mankind that will prevent people from being idiots.”