Skip to content
Back to blog

Act to shield personal data

The pandemic has created the ideal conditions for cyber criminals who are taking advantage of changing habits to steal people’s personal information and their money.

There were an estimated 1.7 million computer misuse offences in the year ending March 2021 according to the Office for National Statistics, up by 85% from the year ending March 2019. Cases of unauthorised access to personal information, which included large-scale data breaches, rose by 162%.

This should concern healthcare providers because the amount of personal data they hold makes them a tempting target. A recent cyber security breaches survey by the Government showed that 58% of private businesses hold personal data about customers but this rises to 80% in the health, social work and social care sector and 82% in the finance and insurance sector. Healthcare organisations consistently report the highest number of data breaches to the Information Commissioner’s Office (ICO). The latest statistics from the ICO for 1 July – 30 September 2021 show there were 435 data security incidents in the healthcare sector, compared with 313 for education and 259 for finance, insurance and credit.

Data security oversights can be extremely costly. In addition to the potential disruption and embarrassment, the ICO could also impose a financial penalty if it finds that you had not done enough to protect users’ sensitive personal data.

However, you can boost your defences by following these steps:

  • Invest in security software to protect practice systems from malware such as viruses and ransomware. The software should be set to automatically scan files and webpages and whole system scans should be carried out frequently.
  • Don’t use old operating systems, software, internet browsers and apps which are no longer supported by the provider as they will be inherently less secure.
  • Maintain a Data Protection Policy to ensure your practice complies with data protection law. This is a set of principles, rules and guidelines which ensures everyone understands their data protection responsibilities.
  • Have a practice IT security policy covering aspects of security such as internet and email use, passwords and the safe use of mobile devices (encryption).
  • Provide regular training in cyber security for staff and make them aware of the latest threats eg suspicious emails. Non-compliance with the policy should be a disciplinary matter.
  • Ensure each person has their own username and password that controls their level of access. Passwords should be changed regularly and never shared.
  • Encrypt the sensitive information you send or share and don’t use standard unencrypted email to communicate confidential information as it is inherently insecure.
  • Keep track of how data is processed and stored so you are more likely to identify a breach quickly and can take prompt action.
  • Ensure all access is logged for security and audit purposes and that staff have a valid reason to access personal and patient data as part of their work.
  • Back up your systems so that you can restore your data and get back up and running quickly eg in the event of a cyber-attack.
  • Report personal data breaches to the ICO within 72 hours of becoming aware of them, unless you can show that the breach is unlikely to pose a risk to individuals’ rights and freedoms (for healthcare organisations, reporting is advisable). Serious cyber-security incidents can be reported to the National Cyber Security Centre (NCSC) which also has advice on how to manage incidents.
  • Talk to an IT security professional about your IT security measures. The NCSC has guidance and resources for small businesses or you could sign up to the Government’s Cyber Essentials scheme which should help you guard against cyber-attacks. You can find best practice information for healthcare organisations on the ICO website and NHS Digital (important if you have access to NHS patient data and systems).
  • Ask service providers about the measures they have in place to protect your data. You might comply with data protection law but do they?

How do we protect your data?

As a provider of online services for more than 20 years, we process vast amounts of sensitive health and financial data on your behalf. Here are some of the measures we take to ensure our systems and procedures are watertight and present the maximum deterrent for cyber criminals:

Encryption – our systems have full end-to-end encryption.
Enterprise quality – our system infrastructure is designed to minimise any impact from system failures and is stored on our UK-based computing platform. 
Data protection by design – we’ve embedded ICO principles into all our system and product development projects, from ePractice and The PPR to online appointment booking. Access to services is controlled with an industry-standard authentication-authorisation solution.
Commitment to IT security standards – our internal policies, procedures and controls comply with ISO/IEC 27001:2013 (we first achieved the relevant ISO/IEC accreditation in 2009). We’re also certified under the Cyber Essentials scheme after demonstrating best practice across all aspects of cyber security including configuring systems to minimise vulnerability to cyber attack.
Resilience testing – we regularly audit our security measures to identify potential weaknesses and ensure that our platforms are secure, resilient and up to date. 
Disaster recovery – we take a daily back-up copy of data which is securely stored on our UK-based computing platform.
Products and services – we provide encrypted services to help healthcare organisations share information securely, from the Clearing Service to Secure Messaging and file sharing.

Related Articles

Why we’re going further to protect your practice and patient data from cybercrime with 2FA

From September 2024 we’re leading the way by making the use of 2FA mandatory to access your Healthcode Account for any of our products and services.

Read full story

The business of the patient journey | Credit control and collections

In part 5 of this series, Product and Marketing Liaison and former practice manager, Desné Marston, shares her expertise on the best practices to manage payments.

Read full story