Skip to content
Naked Security Naked Security

Why your health data isn’t as secure as it should be

What are healthcare providers doing to put a stop to the worrying trend of health data breaches and medical ID theft? Not enough, it turns out.

Your health status is perhaps the most intimate information anyone could know about you, so it should be your decision whether you share or keep your medical records private.

Unfortunately, hospitals, doctors’ offices and insurance companies frequently expose our health data through accidental loss, device theftemployee negligence, and data breaches perpetrated by hackers.

Even as the amount of health data rapidly increases, and data security laws become more punitive, medical ID theft continues to rise.

So what are healthcare providers doing about this worrying trend?

If you live in the UK, at least, the answer is not enough.

A survey of 250 CIOs, CTOs and IT managers employed by the UK National Health Service (NHS) has revealed a disconnect between how strong they think their IT security is and the level of data security that is actually in place.

Three-quarters (76%) of respondents to the NHS survey, conducted by Vanson Bourne on behalf of Sophos, think that they have adequate protection against cybercrime and data loss.

But their data security practices leave worrisome gaps.

Although encryption of laptops and USB drives is mandated by law, and 84% of respondents believe encryption is becoming a necessity, encryption is not broadly used:

  • Only 10% say that encryption is “well established” within their organization.
  • Only 59% encrypt email.
  • Only 49% encrypt files shared on the network.
  • Only 34% encrypt data stored in the cloud.

The survey also highlights how NHS organizations are facing significant IT security challenges such as the increased mobility of service delivery, as providers use a wide variety of devices to access records and other patient data on the move.

Data loss is the biggest IT security concern for 72% of NHS organizations, and 48% cite mobile and remote working as one of the main challenges facing their IT departments.

And while 54% say there is heightened awareness of data security due to high-profile breaches and upcoming EU data protection legislation, these growing concerns come at a time of tightening budgets, with survey respondents expecting their IT budgets to be cut by an average of 6%.

According to the UK Information Commissioner’s Office (ICO), the NHS was hit by more data breaches in 2015 than any other sector in the UK, representing almost half of all incidents tracked by the ICO.

(To be fair, the NHS is the world’s biggest health service, and has the fifth biggest workforce on the planet, behind only the US Department of Defense, the Chinese PLA, McDonalds and Walmart.)

Visit to read more about the NHS survey.

Image of doctor with tablet courtesy of


Even here in Canada it is a worry, for me anyway. We are told there are security measures in place but unless you are in the position of managing that data no-one is told what they are and if they are adequate.
Also because Health Care here is a “Provincial” responsibility security measures can be easily fractured if all the provincial ministries are not in agreement with current standards.


For one, I’d point out that transmission of patient data by email (encrypted or not) is being aggressively replaced with other services. Is it perfect? No. But there is actual effort.

For two, I’ve seen both Health IT and Finance IT and frankly, for the difference in investment, Health IT is actually holding its end up.

Lets try calling out some other industries eh mate?


The NHS isn’t the only organisation with poor security. Certain otherwise reputable car dealerships think nothing of asking for bank details by email.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!