What to do to protect patient data

Recent findings from leading UK data breach law firm Hayes Connor – see Independent Practitioner Today last month – have put the spotlight on the healthcare industry, which has been the leading offender in terms of data breach incidents. 

Solicitor Richard Forrest emphasises the importance of robust security protocols to protect against both cyber threats and human error within the health sector.

Analysis of the Information Commissioners Office’s (ICO’s) 2023 data showed that the health sector accounted for a staggering 17.42% of all data breaches in 2023, making it the most frequent violator of all sectors. 

This is particularly alarming, as it indicates a consistent trend, with health data breaches making up approximately one in every five reported incidents annually since 2019.

In 2023, basic personal identifiable information was the most common data type compromised, comprising 73.21% of breaches in the health sector. Exposed health data, unsurprisingly, followed closely at 61.66%.

Concerningly, almost one-in-five total breaches involved children’s data, with 142 specific cases in the health sector in 2023, raising significant concerns about the safeguarding of vulnerable groups.

The primary cause of breaches was unauthorised access, constituting 18.70% of health sector incidents, followed by emails being sent to the wrong recipient, at 16.22%.

Under the General Data Protection Regulations (GDPR), which came into effect in 2018, organisations are required to report data breaches within 72 hours. Failure to comply not only results in hefty fines –potentially up to £17.5m or 4% of global turnover – but also damages trust and credibility. 

It is concerning that 43.88% of health sector breaches were reported beyond this critical timeframe in 2023.

Significant repercussions

Since 2019, the ICO data shows how organisations across all sectors are still failing to implement effective security protocols, leaving personal data vulnerable to breaches, which have significant legal and financial repercussions for the entities involved. 

Despite regulatory advancements and the introduction of stricter compliance mechanisms, the rate of data breaches remains a serious concern. 

The recent ICO trends portray a continuous need for vigilance and updated compliance strategies from businesses, especially in how they manage and protect personal data against emerging cyber threats and human error.

Doctors and healthcare professionals are particularly susceptible to data breaches due to the nature of the information they handle. 

Healthcare records are densely packed with sensitive personal, medical and financial data, increasing the risk of both accidental and malicious breaches.

High workloads

The healthcare environment also presents unique challenges, such as high workloads and stress, which can lead to errors in data handling. Lack of understanding surrounding the importance of data protection and the myriad ways data can be breached is also a key factor.

Additionally, healthcare systems often involve complex technologies that might not be user-friendly or fully secure, particularly if they are outdated. 

The frequent necessity to share patient information among various stakeholders – doctors, specialists, insurers – multiplies the risk of a data breach occurring. 

While healthcare workers are highly trained medically, they might lack thorough training in data security, further elevating the risk of mishaps.

Here are some practical tips for independent practitioners looking to safeguard their practices.

Employee training 

You should conduct regular training sessions to ensure that all staff are aware of data protection principles and know how to handle sensitive information securely. 

This includes understanding the rights of data subjects, the importance of data security and the procedures for identifying and reporting data breaches.

Access controls 

Implement strict access controls and user authentication to minimise the risk of unauthorised access. Regularly review who has access to sensitive data and adjust permissions as necessary.

Secure communication channels

Utilise secure systems for communicating sensitive information. Avoid using unencrypted email for transmitting personal data.

Regular audits and updates

Keep security systems up to date and conduct regular audits to identify and address vulnerabilities.

Appoint a data protection officer 

Depending on the scale of data processing activities within a practice, it may be advisable to appoint a data protection officer (DPO). This person would be responsible for overseeing data protection strategies and compliance with GDPR requirements.

Design an incident detection and response plan 

Establish and maintain an effective breach detection, investigation and internal reporting procedure. 

This is critical for ensuring that any data breaches are identified swiftly and that necessary notifications are made to both the supervisory authority and the affected individuals within the required 72-hour time-frame.

Data minimisation 

Only collect and retain the minimal amount of personal data necessary for your operations. This not only complies with GDPR principles but also reduces the impact of a potential breach.

The continuous high rate of data breaches in the health sector underscores an urgent need for enhanced vigilance and improved compliance strategies. 

By adopting stronger data protection practices and fostering a culture of security, healthcare providers can better protect their patients’ information and avoid the severe consequences of data breaches. 

Independent practitioners must take pro-active steps to ensure that they are not only compliant with legal standards, but are also doing their utmost to protect the personal data entrusted to them.

Richard Forrest (right) is legal director at Hayes Connor