87% of UK healthcare organisations are putting patient data at risk, survey reveals
Just 13% of healthcare employees are restricted from logging onto multiple devices concurrently, while 44% do not even have a unique login ID, reveals IS Decisions research
Concurrent logins, manual logoffs, password sharing, and a lack of unique logins are putting patient records at risk, new research has revealed.
A report by security software provider, IS Decisions, found that, despite increased pressure from the Information Commissioner’s Office on NHS data protection practices; 87% healthcare staff are still able to log on to different devices and workstations concurrently, just 37% are required to manually logoff, and 44% do not have unique logins.
Information of this critical and confidential nature should only be accessible by authorised users and it really should not be a complicated process
The report, Healthcare: data access compliance, highlights several issues that have a direct effect to security of information within the healthcare industry.
Access to personal data can be life dependent, but there has to be a reliable access management procedure and system in place. According to the report, 69% have access to patient data, which is worrying considering 44% do not have unique logins for this access, making proper user identification impossible. A tiny 13% are restricted from concurrent access, a requirement given attribution is difficult when users can be logged in from multiple devices and locations.
Digital security research director at ABI Research, Michela Menting, said: “Security and privacy regulations regarding the processing, storage, and transmission of patient data — such as HIPAA, HITECH, EU directives, breach notification requirements, as well as associated penalties for non-compliance — can serve as a first critical element to ensure security is taken more seriously.”
Fran Howarth, senior analyst at Bloor Research, added “In 2014, 42.5% of the breaches identified by the Identity Theft Resource Center occurred in the medical/healthcare sector. This report sheds light on best practices, providing a checklist that organisations would be well advised to follow to become compliant to HIPAA and the Data Protection Act.”
The report also details security training, for both on-boarding new employees and those who have settled into their jobs. It showed that 48% of healthcare professionals did not receive any security training when they were employed, and only 41% of existing employees received IT security training.
The figures around access, logins and password sharing, as well as the IT security training shows the need to firstly implement a good access management system; and, secondly, to train staff to raise awareness and build accountability.
Francois Amigorena, chief executive of IS Decisions, said: “Unlike an office where employees have designated computers and workstations; doctors and nurses are always on the go, moving from operating theatres to patient rooms and so on.
This report sheds light on best practices, providing a checklist that organisations would be well advised to follow to become compliant to HIPAA and the Data Protection Act
Healthcare organisations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients.
“Information of this critical and confidential nature should only be accessible by authorised users and it really should not be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”
To read the research in full, click here.
