Data security breaches up 21% among healthcare organisations

Information Commissioners Office issues stark warning just days before introduction of General Data Protection Regulation

Security must be improved in order to mitigate the threat from cyber criminals

The number of data security breaches among healthcare organisations in the UK has increased by 21% in the run-up to the launch of the General Data Protection Regulation (GDPR) later this week.

Awareness is the key to compliance and today's results strongly suggest that breaches are happening because employees are ill informed in how to handle data

The Information Commissioner's Office (ICO) has released its report into the data security incident trends of ‘Quarter 4’, running from January-March this year.

Across all sectors, 957 incidents were reported, up 17% on Q3.

The most-common types of breaches were data posted or faxed to incorrect recipient; loss or theft of paperwork; and data sent by email to incorrect recipient.

Among healthcare organisations specifically, there was a 21% increase in reported data security incidents in Q4, following a 22% rise between quarters two and three.

The three most-common problems reflected those across all sectors, followed by data being left in an insecure location. There were also 11 losses or thefts of unencrypted devices.

Breach reporting is mandatory in the health sector and this is said to have contributed to the high number of reports.

The ICO said: “Data security incidents are a major concern for those affected and a key area of action for the ICO.

“We have published this information to help organisations understand what we are seeing and to help them to take appropriate action.”

It adds: “We believe recent increases are possibly due to increased awareness of the GDPR and the launch of our new Personal Data Breach helpline.”

The GDPR is designed to enable individuals to be more in control of their personal data and puts the onus on healthcare trusts to ensure they know exactly what information they hold, how it is used, and who can access it.

These issues can be resolved by equipping staff to handle personal data – whether that’s through technology that supports and secures the work they do or more training and awareness – all things that organisations should have been doing ahead of GDPR

Any breach of the regulations could see individual organisations fined up to £20m or 4% of their global turnover.

In the Q4 report, the ICO reveals it fined Carphone Warehouse £400,000 after serious failings put customer and employee data at risk.

“The company’s failure to secure a computer system allowed unauthorised access to the personal data of over three million customers and 1,000 employees,” it states.

Commenting on the report, and its impact on the healthcare sector; Tony Pepper, chief executive of technology firm, Egress, said: “The ICO's results are illuminating.

“Most obviously, the fact that the number of incidents is up on the previous two quarters is very concerning ahead of the GDPR deadline next week.

“In light of that, what stands out most is the nature of these incidents.

“Cyber attacks don't even make the ranking of the top five-most-common types of data security incidents. The top causes are almost entirely organisations, or more accurately staff within organisations, accidentally releasing or leaking data.

"Take the healthcare industry. None of the top three incidents are sophisticated attacks orchestrated by cyber criminals. Largely they are due to staff mistakes.

“These issues can be resolved by equipping staff to handle personal data – whether that’s through technology that supports and secures the work they do or more training and awareness – all things that organisations should have been doing ahead of GDPR.”

And he warns: “It is not enough for just your tech teams to be prepared. It is the employees across the company.

“Ask yourself, are your staff aware of the practices you have put in place for GDPR? Have they been trained to use the technology you have implemented? Do they even know what counts as personal data?

“Awareness is the key to compliance and today's results strongly suggest that breaches are happening because employees are ill informed in how to handle data.

"Now the GDPR is upon us, it is more imperative than ever that organisations adopt an approach that’s focused on users, working out what technology and support they can give their employees to help them handle data safely at work."

Companies