NHS bitchslapped by ICO on data security The Information Commissioner's Office is working with Connecting for Health to try to get the NHS to take data security seriously. The news comes as another five NHS bodies sign undertakings with the regulator to improve processes. Information Commissioner Christopher Graham said: "The health service holds some of the most …
Why the hell are they still using Faxes in 2011? They could at the very least be emailing it to the wrong address, and that could be prevented by the system itself - it should automatically stop the user if they try and email info to somebody outside the health service, and USB ports should just be disabled.
Pete a quick run down in the way the NHS works. Our Trust blocked usb ports. We didn't want junioe doctors putting patin info onunencrypted sticks.
Junior doctors phoned the IT Department. Some band three help desk assistant who didn't want to be bothered with phone calls opened up all the usb pports. No notification to the data protection officer etc.
Result junior doctors losing usb sticks and IT people saying "We're not to blamne - nothing to do with us guv."
Not all eMails as set up for this, yet.
I'm guessing this is the reason?
If there are problems getting folks to take simple things like data security seriously do you really believe that people wont share their logon information. It's a cultural thing. People trust medics, medics trust medics, of course we're right, ....
Let us assume that you need to send a colleague something graphical (a chart, signature, hand written notes) then you do one of the following:
A) Find a fax machine, scribble note on document, put in document, key in number, press send. Your colleague waits by the fax and picks up their copy.
B) Find a computer with a scanner, log in, start graphics software, place document on scanner, scan document, look for file, start email software, write email, attach image, send email. Your colleague waits by their computer, checks their email, prints it, fetches it from the printer.
OK I know it's not quite like that, but most people would find A easier and faster. In a medical context speed is often very important.
The question has to be asked,
Is the NHS really that crap at information security, or are they getting all the nationally mandated reporting mechanisms implemented correctly, and are simply falling foul of the, "when you are this big, this stuff happens" syndrome.
Agreed some of the incidents have a massive Homer Simpson "doh" value, so why are so few of our massive private companies not falling foul of these issues ?
@AC NHS organisations have a habit of self reporting, a bit like turning yourself in if you'ce committed a crime.
Like the criminal justice system the ICO takes this into account and levies a bigger fine than when they don't self report (just look at the ICO site if you doubt that).
The moral is always turn yourself in for a heavier sentence.
I continue to be baffled by the number of large organisations who use fax despite the availability of better and more dependable systems. Hell, even some large tech firms (hello Dell) still use it in their purchasing systems.
Long story short - if any part of the information being sent from A to B is confidential or has DPA implications, it shouldn't be sent in plaintext (whether that's email or fax or unsecured traditional mail) - it should have security applied, preferably of the public & private key variety in the context of email.
Until the NHS get the physical side sorted out, they're never going to get the electronic side sorted out. In the grand scheme of things, a few errant faxes, delivered to other NHS bodies (in the main) are nothing compared to the risks posed by the general public. And heaven forbid they should actually be targetted - it would be far easier than taking candy from a baby.
http://insideinfosec.blogspot.com
The ICO only seems to take action when they know that they can get a win... for example, with other government agencies.
In contrast, I've been warned by a few very well known private companies recently that if I'm not happy with the way in which they abuse the rights afforded me by the DPA98, that I can cancel my account. According to the letter that I received yesterday, the ICO don't have a problem with this; they don't have a problem with companies blatantly contravening data protection laws and then threatening to cancel the account of anyone that complains. Yet if a govenment agency does the slightest thing wrong they're all over them like a rash dishing out undertakings at the drop of a hat.
Like I say... the ICO only want to get involved when they can get an easy win. If you're a private company in the UK you've basically got a carte blanche to do as you please with personal data.
For those that aren't familiar with the issues, there are a multitude of barriers - technical, cultural and legal - that prevent the elimination of fax use in the NHS (or, for that matter, in other places).
Anyone tried buying a house or getting a loan recently without actually putting a *signature* on a piece of paper and somehow getting that back to the organisation in question (for which a fax usually works well)?
Most people won't accept a "digital stamp" kind of signature on an electronic file because there are question marks about the legality of doing so. A scanned/faxed document is pretty much incontrovertible; even if the original paper is destroyed as long as the scanning process was BS10008 compliant or you have a fax machine log or receipt then the digital image is generally considered adequate proof of the existence of the original paper.
Otherwise you start getting into the minutiae of contract law - which doesn't cover medical records anyway!
Even if this wasn't the case, medical records are highly signature orientated (face it, you *would* want to know who ordered your antibiotics to be stopped early) and there are practicality and infection control issues (not to mention cost!) that prevent giving every doctor and nurse some kind of digital tablet to eliminate paper.
The other issue that many non-NHS people don't realise (and I have immense fun trying to explain to them) is that you have a very high user-to-PC ratio in the wards and clinical areas - in the order of 20 to 1 or worse. This isn't a bank or office environment where everyone walks in in the morning and "their" PC is sitting on "their" desk ready for "them" to use.
You can't just buy more PCs - in many cases there isn't even the space, let alone the budget.
Finally, email is an insecure transmission medium unless everyone uses digital signatures and site-to-site link encryption. However neither infrastructure is in place in the NHS because there were far sexier projects for the previous Government to piss all our tax money away on. NHS Mail is the closest there is and for Acute sites it is far from an optimal solution.
AC for obvious reasons. Despite all the heartache I *like* my IT job in the NHS!!!
I'd have thought the main problem with the validity of a fax when a signature is necessary is that you have no proof that it wasn't just copied onto the document. Without sight of the original you just do not have that ability hence I'd consider faxes where signatures are required as a pretty insecure and shitty way of doing things.
... whereas the ICO needs a management change,
Chris Graham and his colleagues in the Data Protection Racket are a vacuous waste of space.
The ICO seem to exist only to obstruct effective DPA enforcement against corporate data crooks, and as a Sword of Damocles over public sector IT.
If (for example) BT & ACS:Law can escape serious penalties for revealing acutely sensitive personal information to the internet at large despite a court order compelling them to encrypt... what earthly purpose does the DPA serve?
Because data management is still in the 1970s. Hospitals dont use computer based records - it is all paper. Accordingly, the paper records get faxed.
GPs do use computer based records and information to GPs does tend to be emailed - it is communication within secondary care that relies on this arcane practice.
However, when people move between GP practices, a record summary is printed out and then the new practice types it all back in (though this will change with GP2GP electronic transfer).
"Censure" SFW.
"Fine" Guess we'll have to ask for more in our budget allocation next year.
But "Stated a policy then *failed* to implement it (or made no effort to find out if it *was* implemented)" Goodbye.
Now that *might* improve things a bit.
And of course "Connecting for IT" has only been running what 14 years?
I work with NHS data, and I frequent receiving unencrypted, unprotected patient data via email. Lack of training and, for many staff, lack of alternative.
No PGP, no winzip (with encryption), no training, and, even if they have winzip (rare), you generally can't send encrypted zip files, since their mail-servers will reject them...
We can generally find a secure work-around, but it's rarely easy or convenient.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
