Healthcare IT failing on security

The IT security threat posed by healthcare workers is rising as they become increasingly mobile and use laptops containing sensitive patient information.

Unlike some other parts of the world, UK law does not protect data kept on healthcare computer systems beyond 'duty of care' and a professional requirement for patient confidentiality.

The warning from Absolute Software, which specialises in computer theft and asset tracking, follows a spate of high-profile data loss incidents in recent months, including the NHS losing hundreds of thousands of patients' records.

Absolute Software said that, while encryption provides strong external security, the biggest threat is from within.

Employees can get access to encrypted information as they have encryption keys and passwords. Organisations are advised to complement encryption with the ability to remotely delete data from missing computers for the highest level of protection.

The healthcare market also fails accurately to manage mobile computer assets. Absolute believes that, at best, only a fraction of laptops can be accounted for by IT managers.

Many hospitals and clinics allow information to be accessed on open-air terminals, such as ward and nursing stations. But these workstations are at great risk of data breaches and information can be easily accessed and downloaded.

Absolute said that unattended stationary computers should always be monitored and protected with an authentication prompt.

The company also highlighted the difficulty in implementing a comprehensive data security plan.

Healthcare facilities are advised to institute a comprehensive data security plan to secure computing assets and sensitive information which includes both IT and physical precautions.

Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords, the company said.

Lastly, few healthcare facilities have "nightmare scenario" policies in place should a data breach occur.

There should be a standard procedure in place to manage the event, from timely notification of supervisors to informing the police.

Absolute said that, in a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local police in order to recover them.