UK's NHS struggling with security after WannaCry, losing 10K patient records last year

Months after all NHS trusts failed security assessments, a new assessment from a think tank found the majority of hospitals still are leaning on handwritten documentation, and often misplace patient records.
By Jessica Davis
12:59 PM
Share
NHS hospital sign in UK

Just months after all 200 U.K. National Health Service trusts failed government-issued assessments, a recently released report from think tank Parliament Street found the NHS lost nearly 10,000 patient records last year.

The report examined the number of records misplaced by NHS trusts during the last financial year, which found 68 NHS trusts lost or misplaced 9,132 patient records.

The team only worked with the 68 trusts to compile the data, made up of information on patient records reported missing and details of handwritten records. Data from the other 132 NHS trusts were not included in the report.

[Also: The biggest healthcare data breaches of 2018 (so far)]

Researchers found University Hospital Birmingham was the biggest culprit, reporting 3,179 missing or stolen records. Bolton NHS trust followed with 2,163 misplaced records and University Hospital Bristol fell in third with 1,105 records lost.

The researchers also noted that recently NHS faced a loss of 162,000 missing documents and 702,000 pieces of missing paperwork, which “questions the integrity of the software they have in place and the security of paper documents.” Some of the lost documents eventually were located.

Also notable: 94 percent of the trusts included in the study still use handwritten notes.

The report is disturbing, considering the repeat security lapses recorded by U.K. NHS. The health system fell victim to WannaCry in May 2017 after failing to patch a known vulnerability months before the global attack. Nearly a year later, all 200 trusts failed an audit, many of which for failing to patch known flaws.

NHS pledged nearly $2 million to bolster its security after the attack and moved to improve its cybersecurity posture with a Windows 10 migration. NHS also created a new security center to enhance its monitoring capabilities, complete with ethical hacking and vulnerability testing.

But the loss of records points to continued security lapses and failure to meet its own standards. It also highlights the need to address security risks, as it accumulates over time when reporting and proper education are missing from security plans.

Repeat offenders are a serious issue in the U.S., as well. Employees who already breached privacy in the past were responsible for about 30 percent of third-quarter breaches in the U.S. And as breaches cost about $408 per patient record, the need for better breach response and security policies can’t be overstated.

So where is the U.K. NHS going wrong? According to researchers, the NHS needs to improve in several areas. They recommend abolishing handwritten notes in hospitals, “as it’s clear paper-based systems are no longer fit for purpose.”

The NHS should also introduce a patient identity protocol to “protect the identity and integrity of patient documents.” The researchers recommend the use of speech recognition software to help clinicians quickly capture notes from consultations. The use could also ensure data is properly capture and stored, while increasing the security and privacy of patient records.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com