What medical devices and processes pose a risk to GDPR?
Christine Sabino, senior associate at data breach claims experts Hayes Connor solicitors, takes you through the medical technology that might put you at risk of data breach.
The impact of COVID-19 on the medical world has been astronomical. The added pressures on doctors, nurses, and admin staff have no doubt brought more stress than ever before. That said, this additional pressure on the NHS may have more issues than it may seem at first glance; we’re talking data breaches.
The speedy transition from face-to-face consultations to our reliance on the virtual world means the entire healthcare landscape has changed. Couple this with the lack of staffing and increased workload, and it’d be no surprise if mistakes were being made.
The question is, what impact might this be having on the protection of patient data. What’s more, what medical devices and technology should staff be careful around to avoid data breaches?
What technologies put patient Information at risk of a data breach in the medical world?
In order to get a full sense of the ways in which sensitive patient data might be at risk of being breached, we need to fully understand what technology could cause a breach. Some very simple, but often overlooked, examples include:
Home working tools and apps
The transition to home working meant that companies across the world had to quickly adapt in order to work efficiently, and protect customer data. Some examples of how UK companies, including medical staff, could have made the transition smoother include:
- Secure networks to work from should have been made accessible at home.
- Work laptops should have been provided and, if not, personal laptops should have had anti-malware installed.
- GDPR training should have gone ahead for any new data handling processes.
For those who didn’t act quick enough to put these safeguards in place, customer and company data was at risk. Unfortunately, a recent data breach survey commissioned by data breach claims experts, Hayes Connor, revealed that companies across the UK simply didn’t act quick enough to prepare their staff and customers for this transition.
In fact, 1 in 5 employees surveyed said they had received no data protection guidelines whilst working from home during lockdown. This information came from late 2020, showing that even many months after the pandemic began, protections were not prioritised. Without the processes in place to protect this information, and with many data breaches going undetected for months after the fact, who knows what affect this may have.
As the world continues to rely on technology, the medical world must keep up. Recent discussions about smart healthcare have come to the fore, which “uses a new generation of information technologies, such as the internet of things (loT), big data, cloud computing, and artificial intelligence, to transform the traditional medical system in an all-round way.”
This will, no doubt, have a hugely positive impact on healthcare systems, making them more efficient, convenient, and personalised. That said, the more reliant we become on this tech, the more at risk we all are of data leaks. By keeping everything online, and relying more on smart tech for patient handling, this increases the risk of hackers beating the systems.
The pandemic caused a huge shift in the way patients have been seen by doctors, GPs, and midwives. Now, most consultations occur over the phone or via video call. This could pose threats to the protection of patient liaisons.
For example, most of the time a link is required to access the correct video chat. However, if the wrong link is sent to the wrong person, it could mean a stranger enters a personal chat between a doctor and patient.
This has also given hackers a new avenue to gain valuable patient information through the backend of the servers. Ultimately, it gives a whole new level of data leakage opportunities.
We can’t forget about the very simple device; the computer. These days, with most organisations going paperless, almost all medical records can be found on a computer. Naturally, these will be secured using encryption to ensure hackers have little chance of getting into them.
That said, this doesn’t mean that simple human error won’t cause a breach. In fact, even just leaving the computer unattended and unlocked for anyone to see could lead to a breach. Especially with many admin staff working from home, sensitive information may be open for all household members to see.
On a similar vein, the very simple email tool could pose a huge host of data breach problems. One of the biggest problems we see in our work at Hayes Connor is emails being sent carelessly. For example, emails may be sent:
- To the wrong email addresses
- With the wrong attachments
- With the wrong information
- Without hiding the email addresses of all the other recipients
It’s these simple slip ups that pose a huge threat to patient data, and could lead to a whole host of consequences.
What consequences can a medical data breach cause?
The consequences of a data breach can be severe, for both the patient and the NHS. Not only does this mean that the patient is at risk of fraud and identity theft, they may also be at risk of embarrassment and humiliation. After all, the type of information doctors keep is extremely sensitive, and could be devastating if it got out.
In terms of the effect on the NHS itself, its general image could be damaged, and people’s trust in the system might become a problem. In turn, this could mean that people with medical problems don’t seek the help they need, putting lives in danger. It also puts the NHS under further pressure later on down the line due to delayed diagnoses of medical conditions.
Finally, we can’t ignore the financial impact this will have on the healthcare system. For starters, GDPR breaches could incur large fines from the Information Commissioner’s Office (ICO). If it then gets to the point of a court case, court fees and lawsuits could also cost hugely.
How can medical professionals protect patient data from a breach?
As you can see, it’s not the complicated medical technologies that are putting patient data at risk. In reality, it’s our increasing reliance on basic technology to store data, and human error whilst using this technology, that is the problem.
In order to combat these problems, and avoid human error within the medical workplace, NHS staff should be trained regularly on processes to avoid this. Some ideas for staff GDPR training include:
- The consequences of a data breach, including the effects on patients and the NHS as a business.
- How to handle patient data, both virtually and when out and about.
- How to and why to set up secure passwords across the board.
- Making sure there are processes in place for sending emails, for example checking and double-checking before sending.
- Knowing how to recognise malicious emails.
- Knowing how and when to use secure networks and email encryption.
- Having a secure place to save important files, and making sure staff save documents here.
- Making sure staff understand the importance of updating apps and devices when prompted.
- Train staff on why they shouldn’t use their work laptops for personal use.
- Have processes in place for if cyber security measures fail.
Human error needs to be avoided to limit data breaches
Ultimately, it isn’t really the technology itself that is the main issue, but staff use of technology that should be addressed. Human error accounts for over 90% of data breaches, through the careless use of tech, and the lack of processes in place to use it properly.
The onus shouldn’t be on staff to automatically know how to handle data. There really needs to be company-wide changes to ensure technology is being used appropriately and responsibly.