Earlier this week, the Kent and Medway NHS and Social Care Partnership Trust announced that sensitive patient data stored in its systems were accessed by an employee who was not authorised to do so, but added that the data was accessed only out of curiosity rather than with any malice or intent to commit any crime.
In a letter to affected patients, the Kent and Medway NHS and Social Care Partnership Trust stated that the employee who accessed patient data inappropriately was dismissed and that the Trust reported the breach to the Information Commissioner’s Office without delay.
Patient data accessed out of curiosity
“As an organisation we have become aware of an incident which has occurred involving a junior member of staff inappropriately accessing medical records relating to the name and address of service users through our electronic systems.
“Our investigations into this incident have confirmed that there is no evidence that the individual has used any information they have reviewed for untoward purposes. The records were reviewed out of curiosity rather than with any malice or intent to commit further activity. However this is a very serious incident, and the staff member is no longer working within the organisation,” the letter read.
A spokesperson for the Trust told Kent Online that the trust remains committed towards data security and every employee is aware of rules and guidelines that govern the security of patient data.
“Every member of staff is aware of information rights and data protection laws and all we must do to ensure information is treated appropriately and professionally. When a breach is identified, immediate action is taken.
“We work closely with the Information Commissioner’s Office to assist with their investigations and welcome any prosecutions made against those who have accessed information without an appropriate use to do so,” the spokesperson said.
NHS trusts are still vulnerable to cyber-attacks
Even though NHS Trusts and hospitals across the UK have taken various steps in the past few months to avoid incidents of data breach or successful cyber attacks, some of them have continued to face data security incidents.
Last month, the Department of Health revealed that as many as 200 NHS Trusts had failed to meet cyber security standards that are essential for them to defend against sophisticated cyber attacks in the future.
While addressing the public accounts committee at the House of Commons, Rob Shaw, deputy chief executive at NHS Digital, said that every single NHS Trust which the Department of Health had assessed had failed to meet essential cyber security standards set out by Dame Fiona Caldicott, the national data guardian. He added that some of the Trusts had a considerable amount of work to do in order to comply with the standards.
“The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching which is what the vulnerability was around WannaCry”, he said.
“The NHS is currently facing a number of challenges. Not only is it being called upon to modernise, reform and improve services to meet the needs of ever more complex, instantaneous patient demands, it is also facing an ever mounting threat from cybercriminals operating in groups that are much more agile than the NHS itself. This spans not only technological environments, but processes and the people that have access,” said Rob Bolton, Technology Director and GM for Western Europe at Infoblox.
“Because of this, it is not really a surprise that NHS trusts are struggling to pass cybersecurity tests. Our recent research found that 1 in 4 UK healthcare IT professionals do not feel confident in their organisation’s ability to defend against a cyberattack.
“In order for the NHS to effectively defend against cybercrime, IT teams need to carry out regular overviews of their systems, making sure they identify all vulnerable systems, efficient processes for identifying and remediating weaknesses, and have the ability to recognise malicious activity across their network.
“It is also vital that all trusts have a plan in place to deal with a cyberattack relative; external communication to the public and ransom demands are very much a part of this. Minimising disruption is key to ensuring that organisations can continue providing essential services to patients,” he added.