NHS Warns Staff Over Unauthorized Access to Patient Data
Britain’s health service has warned staff that they could face jail time if found guilty of accessing patient data without a legitimate reason.
Head of the NHS, Jim Mackey, said inappropriate access of medical records was “wholly unacceptable, a disgraceful breach of patient trust and against the law”.
The comments came as the NHS launched a new awareness-raising campaign for staff, in conjunction with new guidance for healthcare organizations on preventing, monitoring and reporting unauthorized access.
The campaign, which urges staff to “not to let curiosity kill your career,” has been prompted by several recent high-profile cases where NHS employees were found to have done just that.
In May, 11 staff were sacked and 14 given written warnings after unlawfully accessing the records of victims of the 2023 Nottingham knife attacks. A month later a Cambridgeshire hospital launched an investigation after around 40 staff accessed the records of a seriously injured child without good reason.
Read more on healthcare data threats: Insider Cloud Data Theft Plagues Healthcare Sector.
It’s not just NHS staff that are breaking data protection laws. Last month, the Information Commissioner’s Office (ICO) issued a former healthcare worker a formal caution after they tried to access and sell the medical records of the Princess of Wales.
The incident took place at a private hospital in London.
NHS Organizations Urged to Put Technical Controls in Place
The NHS guidance on accessing data describes different types of unlawful access and clarifies that, when this happens, staff will be reported to the ICO and police for potential criminal prosecution. They also risk ending their careers in healthcare.
Additionally, the guidance explains how NHS organizations can monitor for unauthorized access and conduct regular audits. Newer electronic patient record systems can flag incidents in real time, it said.
IT teams were urged to put in place technical controls to prevent such incidents from even occurring, such as enforcing least-privilege policies, multi-factor authentication (MFA) and role-based access controls.
ICO CEO, Paul Arnold, said medical data is some of the most sensitive information a person owns.
“Having the ability to view a record is not the same as having a legitimate need to do so,” he added. “Every member of staff has a personal responsibility to respect that boundary, and every patient has a right to expect that they will. Staff who breach that trust face serious consequences: loss of employment, removal of professional accreditation and criminal prosecution.”
Graeme Stewart, head of public sector at Check Point, said the campaign was a timely reminder of the insider risks that all organizations face.
“The NHS has spent the last few years focused heavily on external threats such as ransomware, supply-chain attacks like the one that hit Synnovis, and nation-state activity, and rightly so. But this shows the same principles of zero trust and least-privilege access need to be applied internally as well as externally,” he added.
“The risk is compounded as the NHS pushes ahead with wider electronic patient record rollout and initiatives like the Federated Data Platform, which are designed to make patient data more shareable across trusts.”