Comment from Webroot on NHS patients’ private medical information leaked
February 2022 by Matt Aldridge, Principal Solutions Consultant, Carbonite Webroot
Private medical information about tens of thousands of NHS patients has been leaked in a shocking data breach over the weekend. The lost documents contain names, addresses, phone numbers and NHS numbers.
Matt Aldridge, Principal Solutions Consultant, Carbonite + Webroot
““The sheer size and scope of the NHS, its complex supply chain, and the fact that the public sector uses many contractors and outside parties makes it a difficult task to manage and secure. It’s therefore unsurprising that breaches of important medical information are becoming more and more common. To meet the challenge of securing the increasing amount of data generated and shared across healthcare networks, organisations need to take a proactive stance with regard to data protection and cybersecurity. Health data is incredibly important to people, and is far more ‘personal’ than other information. This means that the industry is very much in the spotlight, and must address security in a multiple ways.
To prevent future data leaks, there must be robust measures in place to reduce the risks as much as possible and strict controls on how patient data can be stored and transmitted. Staff training is also essential for defending against cyber-attacks, and employees need to know what to look out for. The training materials used need to be updated continuously to reflect the latest threat trends, and regular simulations should be run to ensure that the training has the desired effect. Training will help prevent data leaks like this one, which was seemingly occurred due to an employee error.
There is also the added importance of having unique passwords for each service and enabling two-factor authentication whenever possible. Individuals should also remain vigilant in scrutinising the types of emails they receive – and this should be underpinned by cybersecurity technology such as email filtering and anti-malware protection.
Finally, in this case it appears that inadequate data archiving measures were in place to ensure compliance with data protection regulations – it is important that archiving and backup processes are carefully considered to ensure the most effective data protection outcome. Policies and processes should also be in place to prevent confidential materials being sent via email or being extracted to external USB storage.”