Since the birth of the digital age, regulatory compliance and data security have been niggling headaches that just won’t go away for information governance professionals across the NHS and Local Government. With the number of methods of sharing information always increasing, new and complex challenges are also on the rise – only recently we visited an NHS Trust where they were scratching their heads over how to stop members of the public using their smartphones to snap photos of sensitive information!
Of course all regulations need a overseeing governing body willing to bare its teeth once in a while, to exact punishment on offenders in the hope that it will deter future breaches. In the public sector those teeth belong to the Information Commissioners Office (ICO) and right now they’re gnashing away like mad. Averaging over £90,000 per case, the ICO has now clawed in excess of £3million in fines for Data Protection Act (DPA) breaches across the NHS and Local Government. Incidents have ranged from sensitive documents left in public bins, through to the highly publicised sale of unencrypted hard drives on eBay that still had patient information on them. Sometimes the list of breach risks seems endless but, thankfully, there are some simple steps that can be taken to minimise the risk of an ICO fine and reduce the cost of communicating within your organisation.
The simplest place to start, when looking to reduce overall risk, is fax. Often seen as a dying technology in the private market, it’s still heavily used across the public sector and carries a very high risk of users being caught in the jaws of the ICO – Using fax without care is a bit like putting your hand in a crocodile’s mouth and hoping to not get bitten. Most public sector organisations will have in the region of 100-300 physical fax machines, with an analogue phone line in the back of them, usually in shared spaces. The problem with these machines is that they’re often used to communicate highly sensitive information with Social Care, Housing, Mental Health and Legal teams. In some cases they’ve even been used for sending the PIN to access a “KeySafe” that contains the key to an elderly patient’s house, so that carers from the Social Care Team can gain access. Pretty obviously, if this fax ends up in the wrong hands the sender may be looking at the legal implications of jeopardising the safety of that patient, in addition to probably ending up with a £90,000+ slap on the wrist from the ICO … Not to mention the story that will probably end up on the evening news.
The problems with manual faxing from stand-alone fax machines are many-fold; misdialling the fax number thereby sending sensitive information to the wrong recipient, confidential information sitting on the paper tray of shared fax machines for anyone to see, faxes being collected as part of another incoming fax and given to the wrong recipient, and so on.
In order to try and reduce these risks, organisations are increasingly turning to centralised network fax servers. In addition to reducing the cost of faxing by up to 80%, network fax servers provide centralised address books that can be automatically “batch faxed” recipient confirmation requests as often as you want, to ensure the recipients’ fax numbers haven’t changed. And instead of battling with an insecure ‘public’ fax machine, faxes can also be sent/received directly from within the users’ familiar email client (Outlook for example), which means no more sensitive information sitting in shared areas for prying eyes. A centralised and fixed contact list also ensures that staff are selecting the recipient’s number from the list, instead of falling foul of fat finger dialling turning that 8 into a 5. If something should go wrong and a fax is sent to the wrong place, built-in auditing means it is quick and easy to see who sent what, where and when.
With all these positives and the chances of the ICO gnashing its teeth greatly reduced, it is easy to see why so many public sector organisations are now implementing network fax as a quick and easy solution for this high risk problem.
Staying close to the fax machine/printer world is the second “quick win” for minimising risk – Secure Print Management. The Public Sector is notoriously paper heavy and often seems to run with the mantra of “if it’s important, it’s printed”, particularly within senior management. This is where the digital and physical realms clash to cause a pang of anxiety in any governance-focussed individual. What was once a secure digital record is now winging its way uncontrollably to a shared network printer for anyone to pick up and read in physical format. Most recently, a Council was fined £130,000 for two vulnerable child reports being printed to the same shared printer, part of one report being collected with the other and then sent out to the parents of one of the children. The situation was made worse because the recipient knew the parents of the other vulnerable child and made them aware of the situation – formal complaints were made and the case became public knowledge.
The easy answer to this particular problem is secure pull-printing. Many Councils and Trusts are using secure “follow-you” print solutions to reduce paper usage and minimise the risk of sensitive documents being seen on shared printers. Staff now print the job as usual, but need to enter a PIN or simply swipe their ID card at the printer to release any of their print jobs. No more confidential documents piling up on the paper tray or multiple print attempts all coming out at once. Just a simple click, release and collect process that removes the risk of unauthorized personnel accessing the wrong document. This secure printing can even be extended to guests on the IT network, such as patients or visitors. They can now securely print from any device (including tablets and smartphones) connected to the internet without installing print drivers and then release their print job from a shared printer onsite once they’ve entered a unique code. Not only can members of the public print that proof of address or letter from their GP easily and securely but now you even have the choice to either charge them for the use of your print facilities or provide it as part of your front-line service.
Similar challenges apply when converting physical paper files into electronic records that are useful, secure and easily accessible. Some Trusts have upwards of 120million pieces of paper from the days before their new electronic system. The question is, how do you securely and cost effectively get these into digital format? Most printers have a scan to email capability, possibly even a scan to network location function. The problem is that neither of these are secure or particularly useful. Often they will be automatically named with some terribly long filename like “HP0894-scanHP-4274.docx” and will require substantial manual intervention to get the resulting file into the relevant systems and correct format. Ideally the document would be scanned directly from the printer to back-end system with all index meta-data completed at the device and without the need for manual intervention. Secure scanning solutions are now being deployed across the Public Sector to provide all this functionality at the printer and all behind a single button for each workflow. For example, if you work in Purchasing and a PO comes in, the printer would recognise that you are from Finance and present you with a button called “Process PO’, behind which would be a workflow that strips out all the important information such as value, delivery address, an so on, using OCR technology, asks you for a name for the file and securely places all the scanned information into the relevant back-end systems alongside a copy of the document image – all without a member of staff ever needing to see the document in digital format. Removing the scan to email/network location step minimises the risk of the document being scanned to the wrong email inbox or wrong file on the network. No longer requiring manual entry of all the important information substantially reduces the time taken to process documents and minimises human error that could result in poor front-line services being delivered.
Looking around the UK, it is fair to say that lots of Trusts and Councils are currently focussing their energies on “cool” projects and the more complex regulatory compliance issues like network security and secure email. The ICO, however, is fining more and more organisations for the really simply stuff like printing, faxing and scanning. It’s the low hanging fruit of the information governance world and can substantially reduce your organisation’s risk footprint. Most of the solutions available on the market offer fast, tangible return on investment and all prove to the ICO that you have put in place appropriate technological and process changes to minimise the risk of leaking sensitive information. When you consider that the average installation time for a project including fax, print and scanning would be less than 2 months and take in to consideration that the ROI is often less than a year, it’s easy to see how these simple fixes can often reap the biggest rewards.
For more information on secure print and fax, please see the menus above. Alternatively you can call us on +44 (0) 1962 835053, or email firstname.lastname@example.org.
The Challenge The purchase of Fax machines has now been banned across the NHS...