The Information Commissioner's Office has again warned the NHS that it is not doing enough to safeguard patients' data. This week's featured failures come from Stoke-on-Trent and Basingstoke and North Hampshire. NHS Stoke lost 2,000 paper physiotherapy files, and is not sure if they were destroyed or simply filed in the wrong …
And what teeth has the Information Commissioner got? Even if he could impose huge fines, there wouldn't be much point, as it's all public money. The only thing that will concentrate minds is some senior heads on sticks, IMO.
I also suspect that the problem is far worse than stated. My partner's childhood medical records have mysteriously gone AWOL, but we haven't told the ICO about it, because it will just make more work, and nothing will happen...
Heads on sticks...
The only thing that will ever work.
The only thing you're never going to see happen. Count on it.
And that goes for a whole range of problems within the NHS, not just IT.
It happens every day
I was in York hospital last week. On a trolley, in a public area was an unsupervised NHS laptop. I have no idea what was on it, but it wouldn't have been difficult to steal.
What a shambles.
You may have been able to walk out with the laptop
But hopefully, it would be password protected (ideally in the BIOS, although removing the BIOS battery would usually get around that). It would be unlikely to hold any patient information, more likley some junior doctor's notes for hospital audit, which would be anonymised, and you probably wouldn;t be able to access them.
In this case it's likely that the loss of the laptop would not entail the loss of patient information but it is still foolish of them to leave it lying around.
On the other hand, it could be that the hospital in question has been suffering losses from thieves wandering into public areas and pinching stuff, in which case, they may have left an old laptop there as bait to catch said tea-leaf, on the grounds that the hospital security wouldn't have much difficulty spotting a member of the public wandering off with something of that size.
Correlation and causation.
Yep, this happens, and it needs constant oversight to try and stop it happening more, which is actually a big thing in the NHS these days..
For the stat that a quarter of all breaches are from the NHS, I wonder if there's a metric around that actually captures how many valid (and possibly 'naughty') requests there are per capita in all the public sector (and private companies) so that a real comparison can be made about how bad sectors really are at data leaks (otherwise you're saying that a microchip fab plant is a far better banana producer than a plantation as they have far lower statistics for banana wastage).
Now that I'd be interested in reading; the NHS is, alas, in a prime place for the spotlight, as much of the data it deals in is highly sensitive.
And don't forget:
The NHS is still the world's third largest employer (after the Indian railways and Chinese army). It might have the most breaches, but does it have the most per capita? Having been exposed to NHS security procedures from the perspective of both suppliers and users of IT systems, I'd say: probably not.
i heard ...
... WalMart was also bigger.
Promised to try harder.
Never happen. Not until one or more of the directors / CEO of a health trust is jailed for these data breaches.
The CEO's will ask "why on Earth should we spend a penny on something that won't give us a benefit?" And they'll keep saying that until they change their attitude to "we'll spend as much as it takes to keep _me_ out of prison."
I work in a highly regulated industry where not only the top man, but us minions can be sent to prison for non-compliance. Certainly brings focus to what one is doing!
Not until a user has a vested interest in protecting data will they think twice before losing data.
Lock a few offenders up with their superiors and you'll find them talking a lot more care with how they look after other people's data
"Basingstoke managed to lose an Excel spreadsheet containing 917 pathology results - emailed from an insecure address. The sheet was not password-protected and the receiving department had no need for such a large quantity of medical records."
How exactly does one go about losing something that has no physical form, or do they mean maybe that a path lab emailed a spreadsheet with a load of results to a hospital department (e.g. a ward in the same hospital) that only needed one of those results?
....no cloud computing for you then. .......no, srsly, no budget!
Off with their heads!
If I had Carrollian "Queen of Hearts" drag in the right size, I'd have put it on before keying that.
Something I notice time and time again about these stories concerning official malfeasance relating to data: no one is held responsible. No one is jailed, no one is suspended without pay, no one is charged, no one forgoes any pensionable time, no one takes a hit of any kind. At the very least, the head of any public organization that missteps with data should be denied any bonus for the year.
Maybe the time has come for an internet-fueled mass expression of disgust at this nonsense, be it a careless hospital sending email or a police force ignoring FOI requests. Enough angry letters to newspapers and MPs and ministers and maybe, just maybe, something might change.
Or maybe, better yet, it's time to institute a citizens' database of public employees who have fallen down on the job: name them and shame them, starting with the people at the very top. Something like the CRB or the kiddy-fiddlers' database. Can even be based on hearsay and gossip: that's what the UK gov has done, no?