Concurrent logins, manual logoffs, password sharing and the lack of unique logins are putting patient records at risk, new research has revealed.
A report by IS Decisions found that despite increased pressure from the ICO on the NHS’s data protection practices, 87% of healthcare staff are still able to logon to different devices and workstations concurrently, 37% are required to manually logoff, and 44% do not have unique logins.
The report highlights the several issues that have a direct effect to security of information within the healthcare industry. Access to personal data can be life-dependent but there has to be a reliable access management procedure and system in place.
According to the report, 69% have access to patient data, which is worrying considering 44% do not have unique logins for this access, making proper user identification impossible.
Just 13% of survey respondents were restricted from concurrent access, a requirement given attribution is difficult when users can be logged in from multiple devices and locations.
>See also: Time for a technology check-up: what NHS staff need their IT managers and suppliers to know
The report also examined security training, for both on-boarding new employees and those who have settled into their jobs. It showed that 48% of healthcare professionals did not receive any security training when they were employed and only 41% of existing employees received IT security training.
“Security and privacy regulations regarding the processing, storage, and transmission of patient data – such as HIPAA, HITECH, EU directives, breach notification requirements, as well as associated penalties for non-compliance – can serve as a first critical element to ensure security is taken more seriously,” said Michela Menting, digital security research director at ABI Research.
Francois Amigorena, CEO of IS Decisions, added, “Healthcare organisations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients. Information of this critical and confidential nature should only be accessible by authorised users and it really should not be a complicated process.”