Fax machines banned across the NHS



Fax machines will be banned across the NHS under radical plans to overhaul outdated technology and IT systems. Tony Pepper, CEO of Egress Software comments:

It is difficult to believe that such an outdated and unsecure system is still being used by the NHS when we consider the confidentiality of the information contained within patient records. According to the BBC, as many as 9,000 fax machines were still in use as of July 2018, which should set alarm bells ringing about the scale of this issue.

We know from attacks like WannaCry that healthcare organisations are a significant target for cyber-criminals – but this news also shows that more needs to be done to improve the NHS’s internal security posture, particularly when it comes to electronic communication and data sharing. The ICO’s latest trend report shows that disclosure of data and lack of security were the two highest causes of data security incidents in the healthcare sector, between July and September 2018.

Fax machines provide a large surface area for human error and consequently data breaches when used to transfer sensitive data, as they can’t offer assurance over how the data is picked up and used at the receiving end, or a safety net to allow for user error when dialling. When used to transfer confidential information, there is a significant risk of a data breach.

With the mandate to phase out fax machines by 2020 and the recommendation to use email encryption instead, the NHS has the opportunity to close this gap in their data security. However, they will need to fully understand how NHS staff share data and who with. In particularly, they will need to look beyond NHSmail, which is a closed platform for organisations that deliver publicly funded health and social care in England and Scotland.

While in cases where both recipients have NHS mail accounts, we can have assurance that patient data is protected, systems will need to be introduced that can secure data when shared outside of this community, particularly with the patients themselves. Such solutions need to ensure that data is only sent to and accessed by the intended recipient, applies the correct level of security, and is easy to use.

The NHS has a responsibility to guarantee that patient information is always securely collected, stored and shared. To achieve this, it must first understand the sensitivity of the data it controls, subsequently applying a combination of encryption, rights management, machine learning and policy-based access control to ensure that personal information remains secure. Employees also need to be educated, ensuring that the risk posed by the weakest link in the technology ecosystem – the user – is mitigated.