Alternatives to fax in the NHS: how to secure patient data

Neil Larkins | 15th May 2019

NHS trusts have been banned from purchasing new fax machines, as part of a modernization effort that will phase out the technology completely by 2020 and improve NHS data standards.

Today’s healthcare methods mean larger amounts of data, such as high-resolution medical imagery, need to be transferred securely and are unsuitable for faxing. Fax machines also present a large surface area for human error and data protection breaches in the NHS, with no assurance over how data is received at the recipient end and no safety net to allow for user error when dialling. Faxes arriving in the wrong location is a well-known healthcare industry issue.

Faxing and human error

Risk management firm Kroll found that human error accounted for the vast majority (88%) of incidents reported to the Information Commissioner’s Office (ICO) over the past year, and of these, data emailed to the wrong recipient (447) topped the list, followed by data posted/faxed to the incorrect recipient (441). Add these human error-led data breaches to the fact that healthcare organizations are a significant target for cyber criminals (WannaCry), and it’s clear that more needs to be done to improve the NHS’s data-sharing processes and internal security posture.

Retiring NHS fax machines is sensible when there are more secure and efficient systems available. There is also an opportunity here to make both senders’ and recipients’ lives easier, whether it’s doctors, healthcare providers or patients accessing sensitive data.

Email encryption for healthcare

Using email encryption, NHS data protection can be improved and gaps in data security can be closed while enhancing how medical professionals, healthcare providers and patients interact and share information. Just as importantly, there are now ways to stop human error incidents such as misaddressed emails.

Sending to the right people

When sender and recipient use NHSmail accounts there is assurance that patient data is protected, but systems need to be introduced that can secure data when shared outside of this community, particularly with patients themselves. Such solutions should be easy to use, apply the correct level of security to reinforce NHS data protection and confidentiality practices, and ensure that data is only sent to the intended recipient. Policy scanning and auto-encryption can prevent content from being sent in plain text, for example, if it detects an email domain outside the NHSmail community.

Understanding a sender’s regular email habits can enable the detection of anomalous recipients that have been added before the email is sent.

NHS, data protection and GDPR - staying compliant

The NHS, healthcare providers and the medical supply chain all have a responsibility to ensure that patient information is securely collected, stored and shared in line with data protection regulations.

Preventing accidental mis-sends is part of the answer. Still, protection from business email compromise (BEC), controlling recipient actions and being able to audit data transfer are all important aspects of a sensible, compliant data security policy.

Features to consider include message encryption at rest for security within shared mailboxes and protection against BEC, being able to recall an email at any point in time, and not relying on one-time passwords for recipients (these are delivered to the same mailbox as the encrypted message).

Infrastructure

Any email security or email encryption solutions that an NHS trust implements need to be flexible enough to integrate seamlessly into both current and future NHS data sharing and IT infrastructure, whether this is on-premise, cloud / Office 365 or a hybrid mixture of both. Further, it should fit alongside the NHSmail ecosystem without complicating secure email sending for existing users. In practice, this means a solution that understands automatically when both parties are part of the NHSmail community and not requiring additional security, or when neither are and extra protection is required.

Egress Email Protection

Until recently, additional security features and an improved security posture meant putting barriers up and preventing users from sharing data and interacting with third parties. Now though, another way is possible. Email security that users love because it stops them from making mistakes, that recipients love because it makes it easy to access their healthcare information, and that IT teams love because it integrates seamlessly with existing systems and provides full visibility over both visible and hidden risks.

Egress Protect does all of this and more, enabling seamless secure messaging across the healthcare community and providing instant email recall and support for large files. Interacting with Egress Prevent, it creates a digital safety net that prevents user error, raises NHS data standards and ends accidental data breaches in the NHS.