Following the news that a former NHS care assistant has been convicted of obtaining the medical records of five members of her ex-husband’s family in order to obtain their new phone numbers, this rogue employee incident shows why the automation of IT security enforcement is critical to organisations with large databases.
According to the data governance specialist – while the case initially appears to be one of a rogue employee with access to the medical records of the patients concerned – the Information Commissioner’s Office (ICO) has reported that the patients whose details had been compromised were not under the worker’s direct care.
Put simply, this means that she was accessing the medical records without express or implied permission from her employer – and was clearly committing an offence under section 55 of the Data Protection Act. This is why she was fined £500 for the offence, which was also a breach of her employer’s trust.
What I am surprised about, however, is that the NHS trust did not implement an automated data governance system that limited access to only those medical records of patients under the care of the health worker concerned. Automated security technology – especially for large medical records systems in a hospital environment – helps by optimising data access authorisations and detecting potential abuse situations in real time.
Obviously, nominated staff in an Accident & Emergency department would need blanket access to critical patient data, but in a hospital ward situation – as this woman apparently worked in – this would not be necessary. Healthcare data is some of the most dynamic in the IT industry, with new patients coming in every day for lots of reasons, then being treated and moving on, and with some returning for further treatment.
The end result is that there are numerous digital files for every patient treated and health records contain the most personal of information, with phone numbers certainly being private, as well as the medical issues those family members were treated for. And, who knows what other data was made available to the staff member concerned?
It would be interesting to discover to what extent other NHS bodies use data governance technology when securing the medical records and other data of patients.
Given that this care worker was prosecuted on the basis of evidence from the audit trails from her smart card ID – and the fact that the smart card is a key authentication device that has multiple uses – it is clear that automation is the only real way to adhere to the principle of least privilege with present-day digital collaboration.
In a large hospital or health trust environment, even an army of people couldn’t keep up with the pace of database change. Automation is clearly the only way to effectively monitor the use of the data concerned, but the good news is that this technology is available in the modern database marketplace, without resorting to untested leading edge systems.