Medical emergency: the very real risk of data breaches in the NHS

Old habits die hard. I’ve always been a bit sceptical of that phrase, but after what we learned at last week’s EBME expo, I’m less than happy to report that that particular adage is as true as it’s ever been – when it comes to data destruction, at least.

Doctor-patient un-confidentiality

First, a little background information for you. Back in 2012, it came to light that computers containing sensitive patient data from NHS Surrey had appeared in the wild, specifically on eBay. It turned out that the group relied on a third-party contractor to dispose of their old equipment. This contractor told them – pinky swear, honest, totally trustworthy – that they would destroy any hard drives prior to reselling used hardware or salvaging valuable materials. Obviously, they didn’t.

Fortunately, the member of the public who acquired these second-hand machines reported the data breach to NHS Surrey rather than, say, passing the data on to the highest bidder. Not everyone is a bad egg, just dodgy contractors.

Interestingly enough, around the same time, Brighton and Sussex University Hospitals NHS Trust had precisely the same problem: confidential patient data had turned up on computers from a certain online auction site. Perhaps they used the same contractor; we don’t have that information, but it certainly seems like an unusual coincidence.

Either way, the end result was that these organisations were found guilty of breaching the Data Protection Act by improperly disposing of (or failing to ensure proper disposal of) sensitive information. The Information Commissioner’s Office (ICO) levelled fines of £200,000 and £260,000 at NHS Surrey and the Brighton and Sussex Trust respectively. These figures are absolutely not to be sniffed at, but bear in mind – these fines were issued before the roll-out of GDPR. In this day and age, those penalties would likely have been much higher.

Same old same old

This brings us to last week’s exhibition. The Electronic and Biomedical Engineering (EBME) expo showcased the latest and greatest in technological innovation within the medical field. Data security may have been a niche within a niche at such a show, but we felt with such a history of data breaches within NHS organisations, there was certainly something for us to talk about. From our conversations with show-goers we we learned two key things.

One, that most people don’t know a thing about where their or anyone else’s sensitive data ends up. We heard the stock response of “we just give our old equipment to the IT department” more times than we’d care to count. What exactly the IT department does with said equipment remains to be seen; they could do anything from chucking old drives in an industrial shredder, to merely giving them a quick wipe and sending them on their way.

And two, there are still folks out there engaging in exactly the kind of behaviour that cost those NHS Trusts so dearly a few years ago. One chap I spoke to proudly told me he was in the business of refurbishing and reselling old hardware from institutions such as hospitals. This often means giving hard drives nothing more than a cursory format, which as you’ll know if you’ve been paying attention, does next to nothing to actually remove the stored data.

Don’t let that data get away!

So what’s the solution to this ongoing disregard for the safety and security of personal data? We believe it starts not with us shilling our products (as much as we enjoy that) but with raising awareness. If we can make more people aware that simply handing off hardware to their IT department isn’t the end (and may in fact be just the beginning), people could start asking questions and challenging the processes within their own organisations.

Disposal of sensitive data must be done securely and thoroughly. The tendency amongst medical institutions, as well as many others, is to let a third party carry out the job for them. But is that just asking to end up like those aforementioned NHS Trusts, landed with a massive fine and damaged reputation? Not necessarily.

When choosing a partner to outsource equipment recycling or disposal to, it’s vital to choose someone who can provide as thorough an audit trail as they can, while allowing you to witness first-hand as much of the process as possible. That might mean bringing an industrial shredder or a degausser to your site to dispose of hard drives “while you wait”. Many recycling companies now offer reports and certificates detailing the steps that equipment has passed through and the people it has changed hands between, allowing you to follow the process from start to finish. Verifying that your chosen partner is ISO accredited is also very important.

One matter which always causes a stir is price, particularly when a disposal firm offers to do the job for free. As tempting as it is to accept such a charitable offer, it should throw up significant red flags – especially if the company in question doesn’t provide a solid audit trail or lacks accreditation. Nothing in life is free, and chances are if they’re not getting paid then they’re looking to make their money back in some other way.

Passing confidential data to a third party will always carry an inherent risk, even with all the audit trails and assurances in the world. Of course, we’d never suggest that third parties can never be trusted. We’ve sold equipment to recycling companies ourselves, so that’d make us hypocrites. The fact remains that the more people lay their hands on a piece of equipment, the greater the risk of a data breach. Policy within some organisations prohibits third parties from being involved with internal hardware or data at all. In instances like these, in-house disposal and recycling are the only option.

We feel there’s one key fact that IT departments should bear in mind: hard drives are cheap. It’s usually better value to destroy a drive, ensuring the data is totally inaccessible, and buy a new one, than it is to thoroughly erase the drive – which takes a long time and further harms the drive’s lifespan – just to save a few quid. With that in mind, our suggestion would be to invest in degaussing or crushing equipment. This typically works out cheaper than hiring a shredder or similar heavy-duty gear, and such equipment is portable enough to be transported between sites to operate an internal recycling service.

Whatever the case may be, we feel it’s important that IT teams and end users are aware of the value of secure data disposal. After all, nobody wants a £200,000 fine pointed in their direction for something that could have easily been avoided. Don’t be afraid to ask questions of your own organisational processes; you might just be surprised.