Health sector incidents expose vulnerabilities in data protection

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

July 20, 2023 - Data breaches remain prevalent in the UK due to heavy reliance on digital systems and the increased frequency of sophisticated cyberattacks that seek to exploit vulnerabilities, extort ransomware payments, and exfiltrate sensitive data.

Recent health data breaches

According to statistics published by the Information Commissioner’s Office (ICO) for the 2023-24 financial year, the UK health sector reported 1,772 suspected data breaches. Among those, over a quarter (27 percent) of those related to personal data sent to the incorrect recipient, and an additional 16 percent were attributed to unauthorized access. A further 12 percent were attributed to loss or theft of devices or paperwork, or data left in unsecured locations. This means that over half of the reported incidents can be credited to a failure related to fundamental security controls, and not to sophisticated malware or ransomware attacks.

Additionally, 21 percent of the incidents involved “unknown” data types, while 41 percent of the data breaches were reported after the 72-hour deadline. These indicate that effective data classification and incident management procedures need work, with preparation, detection, assessment, and response all critical phases to ensure regulatory compliance. In 14 percent of (256) incidents reported, the number of data subjects impacted was unknown. This suggests a lack of maturity and an inability to achieve and maintain digital trust, arising from a lack of adequate and effective data mapping and technical controls.

Protecting people

Privacy risk management is impossible without an understanding of processes, systems, software, and the supply chain. Appropriate implementation of data protection controls, and application of data protection principles would significantly reduce the likelihood and impact of privacy harms arising from health data breaches. When assessing privacy risks, it's important to avoid using arbitrary criteria based solely on the number of individuals affected. Instead, consider the potential harm to individuals based on the types of data and their specific circumstances. A breach impacting one person could have more severe consequences than one impacting thousands. It is all about the context, data types, and individual situations. For example, 60 percent of the incidents reported by the health sector involved health data, 18 of which involved deeply personal gender reassignment data and 19 breaches included genetic or biometric data.

This is not about the fear of fines and reputational damage, this is about protecting individuals from harms caused by breaches of their personal information. Since April 2022 there have been eight instances where the ICO took enforcement action in the health sector. Seven of these related to the NHS or NHS Trusts, with the other a prosecution against a former health advisor. With health data there is a heightened severity of potential privacy harms and the impact these can have on individuals. One of these data breaches, arising from an error in a live environment resulted in prospective patients being excluded from a liver transplant list, whilst another, caused by an email sent using the ‘Cc’ field to a high-risk group of patients accessing HIV services, led to recipients recognising other individuals. 

Toolkits for protecting health data

The NHS has governance frameworks and toolkits in place for protecting the confidentiality of people’s health and care information and it’s important to use them properly by adhering to the eight Caldicott Principles, the NHS Data Security and Protection Toolkit (DSPT) with 10 Data Security Standards, and the NHS Digital Technology Assessment Criteria (DTAC). Even where these aren’t directly applicable or required, other parts of the healthcare sector, and those handling health data, would do well to utilize these resources to inform their approach to the governance and protection of such data.

Processing health data is a responsibility that extends beyond medical care providers and health-tech solutions. Every organization handles differing amounts and types of personal data during the employee lifecycle in the form of sickness and injury records, occupational health schemes, medical examinations and testing, genetic testing, and monitoring.

Trust in any organization is eroded by failure to adhere to the foundational principles and controls of information security and data protection. If the healthcare industry and the NHS gets this right, respects privacy, and protects data, the opportunities are there to harness health data to make the provision of healthcare more accurate, efficient, and accessible.

Read more about digital trust and AI in healthcare in Keeping up with cyber risks in AI-powered healthcare wearables by Jeanne Greathouse and Ethical considerations of AI in healthcare by Shusma Balaji. For more insights from Matthew Goodbun, read Why the social layer of data protection isn’t enough and How EU regulations are shaping digital standards. Visit BSI's Experts Corner for further insights on other digital trust, privacy, information security, and environmental, health, and safety topics.

Matthew Goodbun

Matthew Goodbun

Mathew Goodbun, Senior Privacy Consultant, is a well-qualified data protection and privacy professional with extensive knowledge of global privacy compliance and data protection matters. A skilled and credentialled practitioner, his program management, compliance expertise, and knowledge of global privacy laws means that he is well positioned to translate regulatory compliance obligations into meaningful business context.

Matthew supports his clients in highlighting the commercial benefits of prioritizing privacy through proactively building and maintaining digital trust and embedding privacy by design and default across all products, services, functions, and jurisdictions.