There has understandably been much focus, over the last few days, on information security in the NHS. Whilst there is still no suggestion that any patient data was breached in the recent ransomware incident, breaches of patient data remain a global problem within the healthcare sector: over 30 million patient records were breached in the US over the period 2010 to 2014. Analysis of this US data produces two interesting findings:
- The number of incidents in each state displays a linear relationship with the number of people employed within the healthcare sector in that state;
- And the rate of incidents per employee has remained fairly stable over the period at between 11 and 14 breaches per year, per million employees.
Both the relationship between incidents and number of employees, and the stability in the number of incidents over time, suggest that most data breaches are in fact the result of accidents not malicious attacks. This is borne out by last year’s annual report of the Information Commissioner’s Office which found that the second most frequent cause of data breaches was “data posted/faxed to incorrect recipient”.
Of course we must continue to improve our resilience against the growing threat of cyber crime; but it is vital to also pay close attention to how we handle information ourselves if we are really to improve information security.