Takeaways from the NHS data security report: What can we learn?

The U.K.’s national data guardian, Fiona Caldicott, recently issued a series of new data security standards for organizations in the healthcare space, in a report titled “Review of data security, consent and opt-outs.” Meanwhile, the U.K. Care Quality Commission (CQC), published “Safe data, safe care,” a review of standards used by the country’s National Healthcare Service (NHS).

Both reports’ findings stress the importance of transparency in handling medical data, as well as the need for a more interactive dialogue with individual patients about the security of their sensitive information. These standards are likely to set a strong example for healthcare data security around the world.

Below are three other lessons the U.S. can take from the U.K.’s report:

Restrict – and update – access permissions.

Caldicott’s report notes that users should only have access to confidential data if they need it. It also suggests that all organizations review the processes for handling sensitive data at least yearly to weed out policies that allow data exposure. Those annual reviews should also ensure technology is up to date and employees are educated about their responsibilities. Every company in every industry can benefit from frequently reviewing access permissions, limiting them to the users critical to a given task and keeping employees in the loop about security threats.

Lead by example.

According to the CQC, the NHS organizations that demonstrated the best data security practices had a few aspects in common:

When executives distance themselves from data security efforts, and cumbersome protocols require staff members to find more efficient workarounds, organizations suffer – and so do patients.

Give end users control over privacy.

Trust is a key factor in both the healthcare industry and successful data security plans. Patients trust doctors, hospitals and medical facilities to diagnose problems and work toward cures. They also trust medical professionals to keep records and identities secure – just like any end user sharing personal information with an organization.

Become a superhero for your sensitive data.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.