NHS Security Breaches Continue

Given the level of fines (“Civil Monetary Penalties”) the Information Commissioner’s Office levied against the NHS in June, you would be forgiven in thinking that the Health Service would have exerted considerable effort to preventing any further fines.

However, this doesnt seem to be the case.

Since we last discussed this, the NHS has been subjected to £460,000 worth of ICO fines – and again, the common thread seems to be that these were easily identifiable, and easily preventable problems.

The most recent fine, as reported on the ICO site, was a £175,000 penalty levied against Torbay Care Trust, following the publication of a huge amount of sensitive information on the Trust’s public web pages.

From the press release:

Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011 and only spotted the mistake when it was reported by a member of the public 19 weeks later. The data covered the equality and diversity responses of 1,373 staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality.

This is a pretty serious failing in both their collection and handling of what is very sensitive personal data. In light of the nature of the information, it is actually surprising that the ICO only levied a £150,000 fine – as that works out at basically £109.24 per record breached.

The release continues:

The ICO’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

So again, we can get an early indication of one of the root causes for this significant breach in both the trust employees place in their employer, and the good practice requirements laid down by laws.

Based on the publicly available information, there are two significant factors around this breach.

First and foremost, the Trust should never have collected this data in this manner and the very existence of records which linked individuals to sensitive “diversity monitoring” data needs to be questioned. Nearly every employer issues a questionnaire along these lines to new employees, and in almost every instance there is a statement to the effect that the monitoring will be kept anonymous and only aggregated figures will be used.

There is no real reason for the Trust to maintain a record of ethnicity, religion, sexual orientation (etc) linked to the specific individuals who have made those statements, and it seems likely that the practice of doing so will place the Trust at risk of discrimination claims in the future.

Where this data is collected for legitimate monitoring it should always be kept separate from any other employee “onboarding” documents. Failure to do so indicates some very serious process problems.

Secondly, and sadly the most repetitive part of the problem is that this accident is primarily the result of failing to invest in good security awareness training. There is no justification for failing to make your employees aware of good security practices around the types of data you hold. Not only does it indicate a lack of management commitment to security, it places your organisation at risk of a range of security breaches which will invariably cost significantly more than the cost of training. To compound the mistake, post-breach you still need to pay for the security awareness training.

In this instance, rather than spend around £10 – 15,000 for a good awareness training package, Torbay Care Trust has ended up with a fine ten times that sum and a major breach of the trust its employees have placed upon it. In the future it is likely that people wont be truthful when they complete monitoring forms and there will need to be a significant effort expended to reassure both the public and employees that the Trust takes care with their data.

There is one caveat with this, however, in that security awareness training is not a magic bullet. It is vitally important, but you will still have breaches (accidents, malicious or lazy employees etc). However, if you have a good training program in place then not only can you use it to deflect the Monetary Penalty, but you create the ability to take disciplinary action against the correct people. Unfortunately in most cases, the lack of awareness training means that the organisation has to simply absorb the costs of the breach without any recourse.

As a footnote to this discussion, it is interesting to see what the Trust’s response to the breach has been:

The Trust has now introduced a new web management policy to make sure personal data is not mistakenly published on their website in the future.

This is certainly a step in the right direction, but it is – at best – part of the solution. Not having had a web management policy is pretty shocking but bringing one in without properly educating the staff in how it works, and why it is needed, means there is a strong likelihood that more breaches will happen.

Only when every employee fully understands the sensitivity of the data they handle, can you have any level of assurance that breaches of this nature will be minimised. Everything else is just padding.

There is only one silver lining to this cloud – and that is hopefully other organisations which process sensitive data (in this instance, it was a data set pretty much every organisation has), will look at the events here and use it as an opportunity to review their own risk management strategy.

Remember, good security awareness training is the most cost effective security control you can ever implement. Dont scrimp on it.


Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.