Reducing the risk of a breach

Recently exposed data breaches such as the case of the NHS in Birmingham and the North Lanarkshire Council incident highlight how, despite the heightened press interest on data protection issues, the handling of sensitive information is still something that many organisations are failing to get right.         

Responsible for plenty of sensitive patient information, from demographic data such as age, occupation and race to addresses and contact details, health condition and financial information, the health sector is not immune to the consequences brought on by ineffective confidential waste disposal.
With the health sector coming increasingly under scrutiny for the way in which patients data is handled, and the ICO acquiring more powers in 2010 to impose fines on organisations failing to comply with data regulation, effective information destruction strategies continue to play an essential role in the security of companies. The consequences for non-compliance are many, and can bring organisations to their knees, resulting in financial losses and negative impact on customer and stakeholder confidence.

The consequences of breaches
Health care organisations face particular risks, as well as legal obligations. The sector necessarily holds vast amounts of sensitive personal information and nowadays, almost any kind of personal information is valuable to criminals, whether it is residents’ records, financial reports, payroll information or personnel data. The unlawful use of such information contributes to an explosion of identity theft crimes, which allows criminals to obtain goods, credit or services in someone else’s name and could put the institution, customers, or even suppliers, at risk.
In addition, data breaches carry with them hefty fines and bear great financial costs to organisations. In 2010 the Information Commissioner’s Office (ICO)’s powers have been extended, allowing it to now issue penalty fines of up to £500,000 for breaches to the Data Protection Act. Moreover, a UK study sponsored by data protection firm PGP Corporation highlights how, in 2010, the overall costs of data breaches rose for the third time in consecutive years to reach on average £1.9m, with each individual record lost costing UK organisations an average of £71, a 13 per cent year-on-year raise.
Finally, mishandling sensitive information can result in significant reductions in consumer confidence. This can be extremely damaging for all kinds of organisations, particularly for those where patients’ trust is an absolute requisite. Research recently commissioned by the ICO has found that 94 per cent of respondents from the general public selected protecting personal information as one of their main social concerns, same as preventing crime (94 per cent) and more than the NHS (88 per cent) and national security (87 per cent).
Continuous reports of data breaches – such as in North Lanarkshire Council where paper documents containing sensitive information were stolen from an employee’s bag, and the NHS in Birmingham, which occurred due to reportedly lax IT security – prove how well-founded these concerns are, and demonstrate that organisations need to do more to regain consumer confidence and credibility.
There are many ways in which these risks can be countered, however. In particular, it is essential to have clear waste management strategies in place, to be able to integrate these to the wider security strategy and be aware of the legislation surrounding the handling of patient data.

Setting up clear strategies
Only a small fraction of organisational waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms. By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing. Neither method generally involves any kind of secure handling, however it is not uncommon to find much confidential data included amongst general waste, becoming a significant cause of avoidable risk.  
It is not surprising in these circumstances that the rubbish bin is a regular source of prosecutions under the Data Protection Act, just as it has long been a core element of the private detective’s trade.
Effective waste strategies clearly separate the handling and disposing of general waste to that of sensitive material held on documents, PCs and memory devices such as CDs and hard drives. Anyone responsible for the handling of the sensitive data should be extensively briefed on the correct disposal of the material, and should be made aware of the consequences for non-compliance.
According to another report from the ICO the NHS topped the list of security breaches reported involving the loss of personal data since November 2007. The report highlighted how more than 100 breaches by the national health institution were due to stolen data or hardware, 87 due to lost data or hardware and 43 cases due to error.
Simple steps can be taken internally to reduce the risk of breaches, including ensuring all unwanted documents, CDs and DVDs are being properly shredded, wiping clean the information held on old computers before disposing of them and regularly changing network as well as PC passwords.
However, leaving document destruction to individuals can compromise security as items might not be thoroughly destroyed and therefore may be recovered. For this reason, employing a professional data destruction company will ensure law compliance and the highest standard of service, giving institutions the peace of mind that the interests of their patients are protected.
A reliable information destruction supplier should be able to provide sacks that cannot be tampered with and bins to match the office furniture, and that can only be accessed by key. To provide further protection, each collection and sack should contain a unique code so that customers can access a full audit trail of their paper once it has left the building.

Know the legislation
The law sets clear rules for the destruction of personal information. Information destruction suppliers should be able to guarantee under contract that their work is carried out securely and effectively, in accordance to data protection laws. The process consists of waste collection by secure transport, inspection, removal and destruction of rubbish, and the shredding, pulping and recycling or incineration of other material.                  

European Standard EN 15713:2009 describes the essential requirements and operating procedures for a professional information destruction company, including employment practices such as the security vetting of all staff members and details relating to the security of its premises by means of monitored intruder alarms and CCTV systems. Detailed rules are set out for the actual destruction of data, incorporating material-specific shred sizes, and requirements for the security of vehicles used both for the collection and on-site destruction of confidential waste.  
Although many information destruction companies claim to work to these standards, security buyers are encouraged to employ the services of those service providers who have EN15713:2009 incorporated into their UKAS ISO9001 quality management system. This means that they will be independently audited to ensure they continue to comply with the requirements laid down within the standard.
All BSIA information destruction section members are inspected to the European standard, as part of the audit procedure for their obligatory ISO 9001:2008 quality accreditation.
Another significant development in the sector has been the publication of National Occupational Standards (NOS), which encompass all key activities undertaken within the sector. The BSIA worked closely with Skills for Security in developing the NOS, which all member companies incorporate into their training practices. In short, the risks of careless or ineffective data disposal are high but the solution is readily available.

Integrating strategies
Effective waste procedures that set out clear guidelines on the disposal of sensitive information can however prove worthless if the material is not kept securely whilst still in use. It is important for companies to ensure that only trusted and vetted staff have access to confidential or sensitive personal material, and that this is kept securely locked away from unauthorised personnel, patients and intruders.
With large amounts of people accessing the sites every day, health sector companies need to ensure effective security measures are in place at all times to avoid data getting into the wrong hands. This could include installing access control systems and physical security systems such as locks on the doors of the offices where the information is held, ensuring CCTV systems are adequately located to be able to monitor access in and out of the area and mark computer equipment held on site with company details or by using forensic technology to enable property to be traced.

Expert advice
The nature of work conducted onsite and the individual threats and risks that the premises may face, determines what security measures will be required for each individual premise. Making the most of technology and choosing methods that will do the job properly is important but this can be a daunting task, particularly for those who are not familiar with the technologies that are available on the market.
Security consultancies can guide whoever is in charge of procuring the security solutions for hospitals or care homes towards the best security measures that will be of most use. A consultancy will conduct a thorough risk assessment, providing essential advice on security reviews and audits, development of security polices and strategy, guarding services, systems design, tender management and security awareness training. They will work with their client to identify threats and ensure that business continuity is addressed, therefore eliminating the chance for corners to be cut.
The consequences for the careless disposal of sensitive waste are many and can often cause companies a series of problems. For this reason, it is important to ensure that only reliable security providers are given the responsibility to handle such data. Members of the BSIA Information Destruction section securely destroy a range of confidential information, including paper, DVDs and computer hard-drives. The section members also destroy items that could potentially cause problems if they fall into the wrong hands, such as branded products and uniforms, and already have extensive experience supplying solutions to a wide range of customers.

For more information

The British Security Industry Association (BSIA) is the professional trade association of the UK security industry. Its members produce over 70 per cent of the country’s security products and services to strict quality standards.
BSIA members meet strict quality criteria and as such, the Association’s website is a great place to start when considering your next security investment. To locate a supplier in your area, or to find out more about the solutions mentioned in this article, visit