Stephen Allcock, Director, Public Sector UKI, explains why identity security is crucial to maintaining data integrity in the NHS
The NHS is the fifth largest employer in the world. One of the biggest challenges faced is the shortage and turnover of staff, with thousands of positions vacant in nursing, clinical and administrative roles at all times. With 1.7 million workers to follow in terms of access rights and responsibilities, this level of movement is a huge headache for frontline and back office functions.
This is because, aside from the primary admin involved, this is also a huge security vulnerability. Staff need to have the right access to the right information to do their jobs, but this should be no more and no less than their responsibilities allow. Failure to keep strict control over this could compromise access, increasing the likelihood of a breach occurring.
This is made even more complex by the level of sensitive information the NHS processes on a daily basis – over 200 NHS Trusts on average see one million patients every 36 hours, while in 2025, the annual growth rate of health data is should reach 36%.
Protecting sensitive data and privacy is a top priority for the NHS and crucial to maintaining its integrity. An effective identity and data security structure can provide the infrastructure for the NHS to function effectively, even as workers come and go and new information arrives, helping it to stay as secure as possible.
Protective measures are a necessity
Any breach within the NHS could potentially have a detrimental effect – the an average healthcare breach alone costs £ 6.6million. Data security must therefore be the beating heart of the NHS structure.
NHS security officials need to understand how information is used and who has access to it. It is essential to ensure that the NHS has control over the information and data under its control. In addition, measures must be put in place to protect data against inappropriate use. He needs to know if and when there has been a data breach and how to react as soon as he becomes aware of a breach.
Timing is everything. It can take weeks or months to detect if there has been an unauthorized data breach, with no way of knowing what information has been accessed unless sufficient safeguards are in place.
Governance and regulation
The NHS has some of the strictest regulations in place to protect sensitive data. The Data Protection Security Toolkit (DPST) is only one piece of NHS data access control. The online self-assessment tool allows organizations to measure their performance against The 10 National Data Guardian Data Security Standards. All organizations that have access to sensitive NHS data and systems need this toolkit to provide assurance that they are practicing good data security and that personal information is handled properly.
The national data custodian is in itself an independent body that oversees patient data and acts as a guarantee on the use of the information. It allows patients to participate in the national patient opt-out, indicating that they do not want their confidential patient information to be shared for purposes other than their care throughout the health and care system. in England. In addition, the NHS must comply with general rules governing GDPR, which governs how organizations collect, use and manage personal data. The seven Caldicott Principles also provide the overarching governance rules that dictate how the NHS collects, stores and uses sensitive information. Of course, none of this is possible unless the NHS has a full and transparent understanding of what is happening to their data.
Unstructured data management
An NHS Trust potentially contains millions of documents in hundreds of thousands of files and in multiple repositories, both on-premises and in the cloud. This is typical “unstructured data” that makes up about 80% of the total data held by a trust – and becomes unmanageable. Some of the common themes we see are personally identifiable information and sensitive information stored in the wrong place, over permissive access to sensitive data, no centralized identity governance process, no audit on access, no oversight of the use of privileged accounts and data held outside of a retention policy.
The key is to make sure the NHS can classify its data and have processes in place to manage access to it. Understanding the types of data, knowing where it is, and providing adequate controls are all essential aspects of adhering to the DPST, Caldicott Principles, and GDPR governance. This will allow organizations to know who has access to different levels and sensitivities of data and organizations to create an up-to-date asset register. Visibility into the location of all sensitive data, who has access to it, and the audit set up through identity security is crucial to understanding where vulnerabilities can be found. This can in turn help organizations fight against improper use or a cyberattack such as ransomware.
Data governance is at the heart
A data breach can cause irreversible damage not only to reputation, but also to the well-being of patients. This is why data governance is at the heart of the NHS. Sensitive data must be protected at all costs, but to do so, it must be managed appropriately. By aligning, streamlining and controlling this data through identity security, the NHS continues to provide essential services without disruption.