ECRI Institute, one of the leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards.
Francis report highlights importance of effective security
The Francis Report followed an extensive inquiry into reported failings at Mid‑Staffordshire NHS Foundation Trust and called for a whole service, patient centred focus, in response to the stories of appalling patient suffering. Robert Francis QC, Inquiry Chairman, also criticised the provider Trust Board for its failure “to tackle an insidious negative culture involving a tolerance of poor standards and a disengagement from managerial and leadership responsibilities.” Responding to the report, Mike Farrar, Chief Executive of the NHS Confederation, commented that “this is an opportunity to make the NHS safer, more compassionate and fully accountable to the people it serves.” One way of achieving this higher standard and commitment to a safer environment is through the implementation of efficient security measures. Whether it is public or private healthcare, having sufficient security procedures in place to offer peace of mind for patients – and their loved ones – along with staff, is of the utmost importance.
Efficient security extends far beyond the direct protection of patients and personnel, and applies to all data stored within a healthcare environment containing confidential information about patients and staff. This kind of data should be protected from the outset, and when it comes to being destroyed, it should be done so by a professional, reputable supplier. Failure to dispose of such confidential information safely – such as patient records or financial reports – can have detrimental effects on an establishment’s reputation, and if placed in the wrong hands, opportunists can find ways of using the information to their advantage.
The importance of using a professional information destruction supplier was reinforced this summer, as it was revealed in July that the Information Commissioner’s Office (ICO) is to levy a £200,000 fine against the NHS after computers containing patient records were sold on eBay. The ICO reported that more than 3,000 patient records were found on a second hand computer purchased through the online auction site. The now dissolved NHS Surrey had moved away from an approved information destruction contractor and handed over their old computers to a new service provider. In the process, they had failed to ensure that the thousands of patient records kept on the computers had been sufficiently deleted.
According to the ICO, the service provider in question had carried out the data destruction service for free, “with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.”
Earlier this year, the BSIA commissioned its own research into information destruction within the healthcare sector and discovered that one in four healthcare professionals reported that their organisation had been the subject of some form of data breach. The survey questioned key workers in the healthcare sector including consultants, doctors, senior managers, facilities managers and IT manager, over half of which were from hospitals.
Worryingly, two-thirds of the 27 per cent that were aware of a significant data loss incident in their organisation said that the data breach was a direct result of incorrect disposal of information, whilst another third attributed the loss to the action of criminals, such as theft.
Adam Chandler, the new chairman of the BSIA’s Information Destruction Section, believes that these survey results, coupled with the NHS fine, should be a wake-up call to the healthcare sector at large about the importance of secure data destruction.
“The NHS Trust in question chose to move away from an accredited supplier and failed to set minimum standards for delivery of the contract, or carry out the necessary due diligence on their new supplier,” comments Adam. “This resulted in thousands of patient records effectively ending up in the public domain and serves to reinforce the important role played by professional information destruction companies in keeping our personal and private details safe.”
Research carried out in 2011 by the BSIA found that in many cases, when a company had taken the responsible step to outsource their data disposal, they were still unaware whether their provider complied with the essential European Standard EN15713, a basic requirement for any information destruction contract. The standard sets a minimum standard for the transportation, storage and destruction of sensitive information, guaranteeing a good quality service.
“Even if companies claim to deliver a service at a reduced cost, organisations must remember that the financial cost of data losses can more than outweigh any savings that they may make by choosing a less scrupulous supplier,” adds Adam.
Another integral aspect of security is that of access control. Most healthcare environments are made up of a large number of staff working varied shift patterns, along with the patients themselves and a high volume of visitors passing through the doors each day. As well as this transient population, many high value goods such as computers, laptops, projectors and medical machinery are kept on-site, not to mention the personal possessions of staff and patients. Furthermore, an abundance of confidential documents are stored on the premises, as well as a wide range of medication that could be extremely dangerous if in the wrong hands. If any of these secure areas are accessed by unauthorised persons, or if any of this vital equipment is stolen, there could be detrimental reputational damage to the healthcare establishment in question, not to mention a loss of patient faith in the security of the premises. Consequently, electronic access control systems are increasingly being used to enhance safety and security in hospitals in order to effectively manage access to restricted areas.
Mike Sussman, Chairman of the BSIA’s Access Control Section, comments: “Having access control technology in place will not only deter criminals, but can physically prevent them from entering the site, whilst offering a versatile and cost-effective way to regulate entry to the premises.”
Access control systems can be utilised to manage access to specific areas of a building, or if necessary, to the entire building, providing 24-hour protection. For example, a door to a medical stock room can be secured by either a magnetic or strike lock and linked with an identification device, such as a smart card and reader or a PIN pad, only allowing authorised personnel to enter the area.
Access control software can also integrate beneficially with CCTV systems for an even more comprehensive security plan. One major benefit of this type of integration is pre and post-event video recordings initiated by the access control system. Video recordings can be linked with event information, which makes searching for a particular event on the recording much more efficient. For example, if an intruder has entered the building and attempted to breach an access controlled area by forcing a door, operators can search for ‘Door forced – laboratory 4’ allowing them to easily look at images of the intruder and react accordingly.
BSIA Access Control Section members have a wealth of experience when it comes to securing the healthcare sector. This has been demonstrated most recently by the release of the section’s latest guide, ‘A guide to access control in care homes’, in response to the growing use of private security measures within the care sector over the last year.
A recent survey of the BSIA’s Access Control Section members discovered that 60 per cent of respondents believed the use of private security measures had increased over the last twelve months, with a further 60 per cent anticipating that it would continue to increase over the course of the next year. The survey also found that patient safety and well-being has been, and will continue to be, a primary focus in the care home sector, with 100 per cent of survey respondents revealing that the awareness of duty of care among care home management has also increased over the last year. The guide can be downloaded free of charge from the BSIA’s website.
When it comes to patient safety no corners should be cut in the healthcare sector, particularly in terms of choosing a quality supplier. It is absolutely crucial that your security provider meets with the essential British and European Standards for their product and service; members of the BSIA are all inspected to high quality standards and can offer a reputable service.