NHS all-mobile no-paper system has 'alarming' lack of cyber-security
A recent FOI request by cloud solutions company Accellion has revealed an 'alarming' lack of cyber-security in the NHS' use of mobile devices.
In its move towards a paperless system, the NHS may be overlooking the security of its mobile devices
A Freedom of Information (FOI) disclosure has shown that the National Health Service (NHS) has an ‘alarming' lack of cyber-security around mobile devices in the workplace.
Accellion, a California-based cloud solutions company, released its findings yesterday saying that “NHS trusts across England do not have adequate training programmes that guard employees against cyber threats”.
Nearly three-quarters of NHS trusts said they had no cyber-security training programme for mobile devices despite the fact that a similar number are using those mobile devices in the workplace.
As the NHS makes its move towards a paperless system, tablets, smartphones and mobile devices will move closer into central everyday use. Ninety-two percent of NHS trusts, according to Accellion, plan to incorporate those devices by 2018, the target date for the NHS to go paperless.
This paperless system is supposed to allow the easy transfer of medical records and was supposed to save the NHS billions.
In January 2013, Jeremy Hunt, the Secretary of State for Health, said, “The NHS cannot be the last man standing as the rest of the economy embraces the technology revolution.”
He added, “It is crazy that paramedics cannot access a full medical history of someone they are picking up in an emergency – and that GPs and hospitals still struggle to share digital records.”
But Accellion's report notes, “The uptake in smart technology is in direct correlation with the increasing number of cyber-attacks in the healthcare sector, where patient data is seen to be of greater value to hackers than financial details when sold on the black market.”
The transfer to paperless is already in swing, according to Accellion's FOI. Around 80 percent of NHS trusts said they had given staff mobile devices from which many of them access patient records.
So where are these records secured elsewhere? Just over half of trusts say they provide secure applications for sharing patient data. The report adds, “With the increasing uptake in smart technology, this is a figure that must change in order to prevent further cyber-attacks.”
Yorgen Edholm, CEO of Accellion, told industry press that with human error being central to most data breaches, “the integration of smartphones into the UK health service must be properly managed”.
Edholm added, "From the latest hire to the most tech-savvy employee, cyber-security must be top of mind. With the increasing use of wearable devices, employees are going to be the weakest link in the security ecosystem."
In September, the NHS announced the introduction of a dedicated cyber-security team. CareCERT (Care Computing Emergency Response Team) is meant to respond to major cyber-security incidents and be a central source for security intelligence within the NHS.
Funded through the National Cyber Security Programme, the service is meant to go live in January 2016. At the time of announcement, Rob Shaw from the Health and Social Care Information Centre (HSCIC) said, "The service will monitor for system-wide threats and will then ensure that appropriate actions are developed, supporting continued security across the sector."
SCMagazineUK.com spoke to Susannah McIntyre, a spokesperson for the NHS, who said that all “organisations must develop their own ‘bring your own devices' policy for mobile devices following a thorough risk assessment”.
She added, “All users of the NHS must be confident that their data is safe and secure.” A review of data security for patients details will be carried out by the Care Quality Commission with the help of the National Data Guardian, Dame Fiona Caldicott who will develop “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account”.
From next year, “All NHS and care organisations will be inspected on how well they protect personal data, including issues such as sharing data on non NHS devices."