At our Winter Conference 2017 the MLACP are looking at various aspects of ‘securing’ your practice with a keynote speaker, Paul Davidson looking at the impact of Cyber Crime. In an interview prior to his talk, Paul discusses his concerns for healthcare professionals and why he thinks they are vulnerable.
Health services in the UK continue to evolve and fragment. To the external observer there is an increasing blurring of the lines between NHS provision and the private sector. I am a risk and security expert, my interest is not particularly in the politics of this emerging landscape of healthcare, although as a potential patient, I care. My interest lies in how sensitive personal data is collected, stored and shared in this developing commercial environment.
I have personally managed the response to some of the most complex information security issues in the UK. In my professional career I have regularly met, and been audited by, the Information Commissioner. I am quite confident that the way in which many smaller healthcare providers manage sensitive data, is a looming crisis. I have spoken to some of these providers; the overwhelming majority are good people providing a good service. However, it’s troubling to note that many do not understand their obligations, or possess the most basic knowledge of information security and Data Protection Principles. Why is this troubling? A few facts may help:
The Act currently allows for a fine of up to £500,000. The healthcare sector was the fourth largest recipient of fines in 2017. A private healthcare provider was fined £200,000 for a data breach (ICA.Org). Notwithstanding, the impact of a punitive fine, a business also needs to consider the reputational damage of having to inform their clients of the misuse of their personal data.
The near future presents more of a challenge. The new GDPR regulations come into force in May 2018. This increases the legal liability on organisations that handle personal data. The new fine structures are increased to 20 million Euros, or 4% of annual turnover, whichever is the greater. The current Information Commissioner recently commented ‘this is a game changer’.
So what can be done? Small business owners do not have compliance teams or data protection officers to manage these issues. Unfortunately, the liabilities that they face are the same. The good news is that with a modest investment in time, and by auditing and then implementing some new business practices, they can go a long way to mitigate these risks.
To find out more attend our conference