One in four healthcare professionals have reported that their organisation has been the subject of some sort of data breach, new research carried out on behalf of the Information Destruction (ID) Section of the British Security Industry Association (BSIA) has revealed.
This surprising statistic comes from a BSIA survey which questioned key workers in the healthcare sector – including consultants, doctors, senior managers, facilities managers and IT managers – of which over half were from hospitals.
This research underlines the need for the healthcare sector to continue to implement robust procedures to prevent sensitive information from falling into the wrong hands. A parallel survey was also conducted, considering the experiences of the service providers themselves, specifically, member companies of the BSIA ID Section.
The survey of healthcare professionals identified a number of issues and trends associated with the secure destruction of information, whether held on paper or data processing related media. Interestingly, 27% of those completing the survey were aware of a significant data loss incident in their organisation. Of these, two-thirds said that the data breach was a direct result of incorrect disposal whilst, worryingly, another third attributed the loss to the action of criminals, such as theft.
Turning to the type of information that respondents are most concerned about protecting, from unauthorised access, patient records were way out in front, being singled out by half of those surveyed. The second highest, on just over 14%, was financial data.
On a more positive note, when asked if they felt that the threat posed by lost or inadequately disposed data had increased, stayed the same, or decreased over the past 12 months, a significant proportion – 38% – said that, in their opinion, the threat level has actually reduced. Of course, this must still be viewed in the context that the majority believed that the danger was, at the very least, the same as before.
In terms of the action being taken to oversee the destruction of confidential data, 62% of those surveyed confirmed that in their part of the healthcare sector a professional company was being employed – an encouraging figure. However, the fact that 59% of respondents did not know if their approach to such a sensitive task – whether through an outside provider or in-house – actually complied with the critical European standard, EN15713, demonstrates a critical knowledge gap.
Considering what material is most challenging for the healthcare sector to dispose of, the survey results were split evenly between paper and data processing related media such as CDs, memory sticks and computer hard-drives. This shows that, even now, traditional materials like paper still account for a significant proportion of the sector’s data disposal requirements.
Turning to the findings of the parallel survey of BSIA ID Section members, results underlined the growing demand for information destruction services in the healthcare sector, with an impressive 81% of those who replied witnessing a year-on-year increase.
When questioned on why they believed there had been a surge in their healthcare sector business, the leading reason given by ID Section member companies (38%) was a recognition by customers – like hospitals – of the reputational damage that can result from an unexpected loss of data. Other factors cited included: the potential penalties for breaching the Data Protection Act – 20.5% – and an awareness of the fraudulent use of data thanks to high profile cases.
Beyond this, hospitals were highlighted as the healthcare establishment dealt with most by ID Section respondents – in around half of all cases. In addition, facilities managers were singled out by 83% of members as the individuals most likely to be driving data disposal on the ground.
Anthony Pearlgood, Chairman of the BSIA’s Information Destruction Section, commented on the revealing research findings: “Effective information destruction needs to remain high on the agenda for the healthcare sector, even when there may be a feeling, as evidenced by some of the responses we saw, that the threat may be reducing or remaining the same.”
“Given its security-critical nature there can be no room for complacency and, in the current climate of budgetary pressures, the temptation for management to take shortcuts with information destruction procedures like shredding needs to be resisted.”
Anthony went on to add: “In this regard it is good to see that our members are reporting a greater take-up of their services. The reality is that once a data breach occurs – like those reported by a quarter of the healthcare workers we surveyed – experience shows that organisations simply can’t control when, how, or where that information is going to be used, not an ideal state of affairs if we are talking about patient records.”
“Moving ahead, as the BSIA ID Section we recommend that only professional and trusted providers are used. Crucially, these should comply with the key security requirements set out in the EN15713 standard – including site security and material specific shred sizes – and vet their staff to BS87858 so any information held can be destroyed in line with an organisation’s Data Protection Act obligations.”
For more information on secure data destruction and best practice please visit: www.bsia.co.uk/information-destruction