A look at the UK healthcare data breach statistics gives the impression that the healthcare industry is being targeted by cybercriminals and the industry is struggling to prevent the exposure and theft of data.
A recent report issued by the Information Commissioner’s Office (ICO) – The UK’s regulator of privacy legislation and the Data Protection Act 1998 – shows that the healthcare sector in the UK experienced 243 breaches between April 2015 and June 2016. To put this into perspective, a total of 545 data breaches were reported during that period across all industries. The second highest industry to suffer data breaches was local government, which reported 62 breaches during that period.
While the UK healthcare data breach statistics look bad, the healthcare industry may not actually be performing quite as poorly as it seems, at least compared to other industry sectors.
Data breaches must be reported to the ICO, although for the healthcare industry, more data breaches are likely to fall within the parameters stipulated in ICO guidance. Healthcare data breaches are therefore likely to always have to be reported because medical data is classed as sensitive. A data breach in another industry sector, even if it involves the same number of records, may not actually be reportable.
The National Health Service also requires all institutions to report data breaches to the ICO. The ICO is notified of all serious incidents automatically, which is not the case with other industries. Data breach reporting is still not mandatory for the majority of industries, with the exception of the communications sector. It is therefore probable that other industries are experiencing far more data breaches than the statistics show. That will change of course. From 2018, new legislation requires all industries to report data breaches. Only then will be get a true picture of how the healthcare industry is faring compared to other industries.
However, the fact remains that 243 data breaches were reported, which is high. The majority of those data breaches could also have been prevented. A high percentage of breaches were caused by human error. Data is emailed or faxed to incorrect recipients and emails are sent to multiple individuals without hiding email addresses using the BCC function. Breaches of this nature can, in the most part, be prevented by ensuring all staff members receive appropriate training.
The loss and theft of devices containing sensitive data is also a problem. It may be difficult to prevent devices from being lost or stolen, but it is possible to prevent the data on those devices from being accessed in the event that they fall into the wrong hands. The ICO considers encryption to be one of the most basic protections for data on portable devices. If data are encrypted, no data will be exposed if devices are lost or stolen.
The healthcare industry must do more to prevent data breaches, but to single out the industry as being particularly bad at protecting data based on current UK healthcare data breach statistics would be wrong.