A healthy approach to information security

Transnationally, criminals and hackers are increasingly focusing on personal information from the health sector as a rich source of individuals’ personal details – a valuable commodity when it comes to activities like fraud and identity theft. The high value placed on medical records is due to the wealth of information they contain; i.e. names, addresses, National Insurance numbers, employment information and sometimes even financial information. Indeed, a reported 12 million medical records have been hacked or stolen so far in the United States this year – a chilling trend which emphasises the importance of effective healthcare information maintenance worldwide.
    
Professional information destruction (ID) is one of the most straightforward security measures a hospital or health centre can implement to help combat the risk of crime. While it may not be as immediately obvious as the need to protect valuable onsite equipment or the personal security of staff and patients, careless disposal of patient and staff records can lead to irrevocable reputational and financial damage.

Therefore it is vital that, with the help of a trusted information destruction company, hospitals and health centres alike can effectively protect private and confidential information from falling into fraudsters’ or criminals’ hands.  

NHS Surrey breach
As recently as 2012, there was an information security breach at NHS Surrey wherein computers containing confidential files were sold on eBay without the hard drives being wiped or destroyed securely. It was one of the biggest security breaches ever witnessed by the now dissolved NHS Surrey, and was primarily caused by the handing over of old computers to a new service provider who
was not compliant with essential standards.
    
Commenting at the time of the NHS Surrey breach, Adam Chandler, chairman of the BSIA’s Information Destruction Section asserted: “Organisations tend to ‘turn a blind eye’ when it comes to selecting an information destruction service provider. The dangers associated with doing this were highlighted perfectly recently, when the Information Commissioner’s Office (ICO) issued a £200,000 fine to Surrey NHS for engaging with an unapproved supplier who was promising a cut price job for the value of the material they were supposed to be destroying. In this case, it was computer equipment – some of which ended up on eBay.”

Who should be responsible?
There can sometimes be a question mark over who is responsible for ensuring the discarding of confidential documents. When asked about his experiences with information destruction in the health sector, Anthony Pearlgood, a member of the BSIA’s Information Destruction Section stated that: “Only a small fraction of organisational waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms.”
    
“It is important that key decision makers do not make these choices lightly, and are sure to source a reputable supplier that meets the relevant standards,” he added.

So what are the key considerations for decision makers when it comes to the destruction of healthcare information?

Don’t ignore data protection
Non-secure disposal of data can lead to the long-term damage of a hospital or health centres reputation. Such behaviour appears careless and incredibly disorganised to the public. Indeed, Since the Data Protection Act of 1998 (which aims to balance the rights of the individuals and organisations who are legitimately holding and using their information) proficient ID procedures have become much more strictly regulated. In 2010 the Information Commissioner’s Office (ICO) was given additional enforcement powers, enabling them to issue penalty fines of up to £500,000 in the case of a data breach. The Act regulates the processing of personal data, held both manually and on computer.
    
It’s wise to be shrewd as to what constitutes ‘information’, as the term covers an array of things; i.e. paper, credit cards, SIM cards, media equipment, CDs, DVDS, hard disks, and hard drives. It is important to consider the processing of branded products such as uniforms also – should they fall into the wrong hands, unwanted intruders with malicious intentions could gain access to restricted areas by impersonating healthcare personnel.

There are particular standards that need to be adhered to by companies that are responsible for information destruction. Such standards guarantee that the service being provided is secure and professional, an essential requirement of the Data Protection Act.
    
Once they have served their purpose, all confidential materials should be destroyed (either on-site or off-site) to the extent that they may never be reconstructed. ID Companies should provide the customer (health institution) with a full audit trail, including a certification of destruction.
    
A key European standard for ID (EN15713) details the range of requirements that an ID company must meet: they must have an administration office on-site where records and documentation are kept; premises should also be isolated from any other business or activities operating on the same site; intruder alarms that are closely monitored by an Alarm Receiving Centre (ARC) should be installed on the property; and finally, CCTV should be placed at the points where the unloading, storage and processing of information is conducted. The vehicles that transport the information due to be destroyed should also be fully secure.
    
There is also a British standard (BS 8470) that ID companies should comply with. According to BS 8470 ID companies must identify product specific shredding sizes, guaranteeing that the information is destroyed to the point of irreparability. The BSIA’s dedicated ID section comprises companies that are inspected to both of these standards, amongst many other important principles, making them reliable service providers.

Source a reputable supplier     
When it comes to data security in the health sector, there is no room for complacency, particularly when it comes to sourcing a reliable ID provider. It is absolutely essential that decision makers are choosing a company that meets with the essential standards highlighted above.
    
Members of the BSIA’s Information Destruction Section all adhere to these standards and meet with rigorous membership criteria.

Further, the ID section of the BSIA follows a specific code of ethics that solidifies the section’s dedication to providing the best service for their customers.
    
Adam Chandler, Chairman of the BSIA’s Information Destruction Section, comments: “The commitment of BSIA members to best practice enables us to help our customers at a time when their businesses are most at risk from fraud.”
    
When it comes to ID there is no room for risk to healthcare providers, be it financial (in terms of fines) or reputational. To find out more about the ID section of the BSIA and their code of ethics, or to locate a trusted and professional ID service near you, visit the association’s website.

Further information
www.bsia.co.uk/information-destruction