Exclusive: Health data breaches on the rise
- 5 January 2017
The NHS is facing a growing number of cyber threats, with more than 70 cyber incidents disclosed in just three months.
The latest figures from the Information Commissioner’s Office, obtained by Digital Health News, show that the NHS, and other UK health providers, reported 239 “data security incidents” from the quarter, June 1 to October 1, 2016.
Cyber incidents accounted for 74 of these reports, the most common category. Health organisations also disclosed 65 occasions when unencrypted devices, such as USB drives or laptops, carrying health data were stolen or misplaced.
Since April 2015, when the ICO started keeping records, the health sector had reported more than 1330 data security incidents. This latest quarter marks the second highest number of incidents reported on record.
Overall health disclosed more than four times as many security incidents as any other sector during the period to October, with the second placed local government sector reporting just 62 incidents. The ICO said that the high number of incidents in health were influenced by the mandatory data breach reporting in the NHS, which was not a requirement in other sectors.
However, overall across all sectors reported data security incidents more generally, and cyber incidents specifically, were on the rise.
Reported “cyber security incidents” rose by 46% compared to the previous quarter. Exfiltration, which covers the unauthorised transfer of data from a data controller’s system to a location controlled by a hacker, were the most common.
Even on paper, data security incidents were on the rise. Despite the NHS drive to be paperless by 2020, incidents where health information was posted or faxed to the wrong recipients rose from 45 to 63 between the first and second quarter of 2016/17.
The fresh figures come amid growing concern about cyber security in the NHS, with trusts and national IT infrastructure increasingly the target of attacks.
In February, health secretary Jeremy Hunt announced that £1 billion of the £4.2 billion allocated to health IT would go towards improving cyber security in the NHS.
Many NHS trusts have been reviewing their cyber vulnerabilities in the wake of particularly damaging ransomware attack at Northern Lincolnshire and Goole NHS Foundation Trust in November 2016.
That attack sparked a 4-day IT shutdown and the cancelling of 2800 non-urgent appointment and operations, while the infection was isolated.
In Digital Health News’ recent health IT predictions for 2017, NHS Digital chief operating officer Rob Shaw said a big focus for his organisation this year would be improving cyber resilience.
“In 2017, we won’t prevent every cyber security incidents in the NHS, but we will be better placed to protect ourselves, making these incidents less likely to succeed and allowing us to act quickly to limit any issues.”
NHS Digital has had a dedicated CareCERT (the Care Computing Emergency Response Team) since September 2015, focusing on preparing for, monitoring and responding to cyber-attacks.
Last year, the unit conducted “security assurance assessment” on 100 NHS trusts, with more planned this year.
Putting cyber threats aside, the rise in accidental data breaches could be a drag on efforts accelerate the sharing and matching of NHS patient data.
Reducing these incidents will likely be a big focus of the government’s response to the twin data security reports, from the Care Quality Commission and the National Data Guardian, published in July last year.