Vertical Markets

Healthcare breach survey

by Mark Rowe

One in four healthcare professionals have reported that their organisation has been the subject of some sort of data breach. That is acording to research carried out on behalf of the Information Destruction (ID) Section of the British Security Industry Association (BSIA).

A survey questioned key workers in the healthcare sector – including consultants, doctors, senior managers, facilities managers and IT managers – more than half from hospitals.

According to the trade body this research underlines the need for the healthcare sector to continue to implement robust procedures to prevent sensitive information from falling into the wrong hands. A parallel survey looked at the experiences of the service providers, specifically, member companies of the BSIA ID Section.

The survey of healthcare professionals identified a number of issues and trends associated with the secure destruction of information, whether held on paper or data processing related media. Some 27 per cent of those completing the survey were aware of a significant data loss incident in their organisation. Of these, two-thirds said that the data breach was a direct result of incorrect disposal while another third attributed the loss to the action of criminals, such as theft.

Turning to the type of information that respondents are most concerned about protecting, from unauthorised access, patient records were way out in front, being singled out by half of those surveyed. The second highest, on just over 14pc, was financial data. When asked if they felt that the threat posed by lost or inadequately disposed data had increased, stayed the same, or decreased over the past 12 months, a significant proportion – 38pc – said that, in their opinion, the threat level has actually reduced. Of course, this must still be viewed in the context that the majority believed that the danger was, at the very least, the same as before.

In terms of the action being taken to oversee the destruction of confidential data, 62pc of those surveyed confirmed that in their part of the healthcare sector a professional company was being employed – an encouraging figure. However, the fact that 59pc of respondents did not know if their approach to such a sensitive task – whether through an outside provider or in-house – actually complied with the critical European standard, EN15713, demonstrates a critical knowledge gap.

Considering what material is most challenging for the healthcare sector to dispose of, the survey results were split evenly between paper and data processing related media such as CDs, memory sticks and computer hard-drives. This shows that, even now, traditional materials like paper still account for a significant proportion of the sector’s data disposal requirements.
Turning to the findings of the parallel survey of BSIA ID Section members, results underlined the growing demand for information destruction services in the healthcare sector, with an impressive 81pc of those who replied witnessing a year-on-year increase.

When questioned on why they believed there had been a surge in their healthcare sector business, the leading reason given by ID Section member companies (38pc) was a recognition by customers – like hospitals – of the reputational damage that can result from an unexpected loss of data. Other factors cited included: the potential penalties for breaching the Data Protection Act – 20.5pc – and an awareness of the fraudulent use of data thanks to high profile cases.

Beyond this, hospitals were highlighted as the healthcare establishment dealt with most by ID Section respondents – in around half of all cases. In addition, facilities managers were singled out by 83pc of members as the individuals most likely to be driving data disposal on the ground.

Anthony Pearlgood, Chairman of the BSIA’s Information Destruction Section, says: “Effective information destruction needs to remain high on the agenda for the healthcare sector, even when there may be a feeling, as evidenced by some of the responses we saw, that the threat may be reducing or remaining the same.

“Given its security-critical nature there can be no room for complacency and, in the current climate of budgetary pressures, the temptation for management to take shortcuts with information destruction procedures like shredding needs to be resisted.”

Anthony went on to add: “In this regard it is good to see that our members are reporting a greater take-up of their services. The reality is that once a data breach occurs – like those reported by a quarter of the healthcare workers we surveyed – experience shows that organisations simply can’t control when, how, or where that information is going to be used, not an ideal state of affairs if we are talking about patient records.

“Moving ahead, as the BSIA ID Section we recommend that only professional and trusted providers are used. Crucially, these should comply with the key security requirements set out in the EN15713 standard – including site security and material specific shred sizes – and vet their staff to BS87858 so any information held can be destroyed in line with an organisation’s Data Protection Act obligations.”

For more information on secure data destruction and best practice – visit:

Related News


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing