Keeping sensitive data out of the wrong hands

For the healthcare sector, there are many threats to prepare for on a daily basis, whether it be an unwanted intruder in the building, theft of expensive medical equipment or the theft of medication.
    
However, at the forefront of any healthcare organisation’s security plan should be its commitment and capacity to effectively protect the secure information and data relating to its patients and staff.     
    
Personal information stored within the heath care sector can be seen by criminals and cyber criminals as the perfect gateway to committing fraud and identity theft. Such information includes names, addresses, National Insurance information, financial details and even information about a patient’s family. As such, it is absolutely essential that organisations are taking the necessary measures to protect such information.

This protection stems far beyond passwords on a computer system, it extends to what is done with that information once it has been used and no longer needed.  After all, if an establishment was found to not be protecting its patient’s information securely, it could have detrimental effects on its reputation and its future.

Information Destruction Defined    
When it comes to information destruction, the term ‘information’ stems beyond just words on a page, it covers a wide range of materials including: paper, computer hard drives, laptops, hard disks, CDs, DVDs, USBs, credit cards and SIM cards. Branded products are also on the list, such as uniforms or paper with letter heads – if these products were to fall into the wrong hands, it could prove catastrophic for administrators, allowing unwanted intruders to gain access to areas where they are not wanted.
    
With such a vast array of precious information being needed to be destroyed, it is most important that an organisation employs the use of a trusted and reputable information destruction company. It is not enough just to destroy the information, it needs to be destroyed by a professional company who fits the right credentials.

Perhaps one of the biggest security breaches within the healthcare sector was made by the now dissolved NHS Surrey back in 2012.

The organisation had handed over old computers to an information destruction company that was not compliant with the necessary standards.

The computers, which contained confidential files, were then consequently sold on eBay without being wiped of its information – a huge breach of data security. As a result, the Information Commissioner’s Office (ICO) issued the NHS Surrey a £200k fine for their engagements with an unapproved supplier.

Meeting the Standard
It can be seen that a lack of understanding of key decision makers regarding the core standards that an information destruction supplier should meet, could be the cause of such breaches.
    
Adam Chandler, chairman of the BSIA’s Information Destruction section, commented: “While it’s not just public sector organisations that are prone to data breaches – the average data breach costs private sector firms around £1.9m annually – the sensitive nature of the data held by public sector organisations can expose them to greater reputational and financial risk.
    
“An overarching theme identified by the BSIA’s previous projects is a general lack of understanding when it comes to the standards that should be specified of a professional information destruction supplier. This often leads to organisations specifying unnecessarily stringent requirements with regards to factors such as shred size, transport and destruction processes.”

So what are the standards?
An essential requirement of the Data Protection Act is that an information destruction company must adhere to certain standards in order to maintain a secure and professional service. The purpose of the company is to ensure that all confidential materials are destroyed to such an extent that they may never be reconstructed. The reputable company will then provide its customer with a full audit trail of the process, which includes a certification of destruction.
    
Companies should also meet with the European Standard for Information Destruction, labelled EN15713. The standard outlines a range of different requirements the company must meet in order to be classified as a reputable supplier. For one, it lays out strict requirements for the premises that the information destruction takes place on, including: having an administration office where records and documentation are kept; being separate from other businesses or activities taking place on the same site; having an effective intruder alarm on-site that meets with EN50131-1 (the European standard or alarms) while being monitored by an alarm receiving centre; and having CCTV systems in place with the recording facilities that monitor the unloading, storage and processing areas of the business.
    
Contracts between the company and the client should cover all existing transactions between the two parties and if the work is sub-contracted, the sub-contractor should also meet with the standard and the client should be informed if one is used. Any personnel within the business should also be vetted in accordance with a particular standard (BS7858) and must sign a deed of confidentiality prior to their commencement of employment.

Chain destruction
In terms of the chain of destruction, confidential material that has been collected should remain protected from unauthorised access from its collection all the way through to its complete destruction. Such collection should only be made by uniformed and suitably trained staff who carry the necessary photographic identification. The destruction of the confidential material should also take place within one working day of its arrival to the destruction centre if the shredding is taking place off-site.
    
The standard is thorough and goes on to cover all areas of the process, including the security of the vehicles carrying the information, the environmental issues faced by the company and the customer’s due diligence. It is important that the decision makers responsible for procuring an information destruction company within the healthcare sector are familiar with the benchmarks that the company must meet and choose one accordingly.
    
Along with meeting with the key European standard, companies should also comply with the essential British Standard BS8470. This details the secure destruction of information and includes the identification of product specific shredding sizes, guaranteeing that information is destroyed to the point of irreparability.

Sourcing a Supplier
The BSIA’s Information Destruction Section is the leading authority on information destruction best practice, with all of its members adhering to strict quality standards, especially EN15713 and BS8470. The section aims to raise continued awareness among public and private sectors around the importance of secure information destruction. When it comes to information destruction in the healthcare sector, there is no room for complacency.

Further Information
www.bsia.co.uk