Are trusts putting NHS data at risk by ignoring need for BYOD policies?


Two-thirds of NHS trusts are risking data breaches because they lack a policy to manage their employees' personal devices, it is claimed.

Just over one third (34 per cent) of trusts have measures in place to govern what devices staff can bring into work, and what they can do with them, according to a Freedom of Information (FoI) request sent to 35 trusts.

Those without a BYOD policy have sacrificed visibility into what devices are accessing their networks, claimed virtualisation firm Citrix, which submitted the FoI.

More than half the trusts 18 out of 35 were unaware whether personal devices were being used for work purposes.

A Citrix statement read: "This lack of visibility means that NHS trusts could be vulnerable to data breaches if a personal device is being used without adequate protection.

"The ability for employees to securely access trust data on the device of their choice has the potential to improve productivity and potentially contribute to a reduction in IT overhead cost.

"However, the FoI results reveal that many NHS trusts are struggling to seize this opportunity, with the delay in uptake also potentially having a significant effect on ensuring security requirements are met."

The news comes as the issue of data security in the NHS becomes a hotter and hotter topic, with the controversy of the patient data collection scheme,, ongoing.

The initiative is meant to enable GP surgeries and hospitals to share patients' medical records, but has been criticised by data protection advocates. was originally due to be rolled out in April 2014, but was delayed by six months due to a poor public consultation.

It's now being trialled in GP surgeries in Leeds North, West, South and East, Somerset, West Hampshire and Blackburn with Darwen.

But sceptics fear patient data will be sold to companies, despite assurances to the contrary, after millions of patients' information was sold off to private sector firms over the last decade, according to a report by the NHS information centre last June.

Tim Kelsey, national director for patients and information at NHS England, believes there is a moral right to collect patient data.

Speaking at a Big Data conference attended by IT Pro in January, he said: ""There are gaps so big, so dangerous, that they just have to be filled from a moral as well as a political perspective. We're going to be doing that this year.

"The NHS is not capable currently of telling you how many patients are treated for chemotherapy, for example. And certainly not capable of telling you that if they are treated, [then] what is their outcome."

IT Pro has approached NHS England for comment, but had not received a response at the time of publication.