IT contractors responsible for project managing NHS and other public sector IT projects may face huge claims on their professional indemnity insurance if they fail to meet strict public sector supplier governance rules.
New research by IT security firm Aston Information Security shows that “only 14% of acute [NHS] trusts have properly audited commercial third party suppliers”, including IT vendors.
The firm commissioned the research following a record fine of £325,000 imposed by the Information Commissioner on Brighton and Sussex University Hospitals NHS Trust for failing to impose supplier governance procedures specified in the official NHS Information Government Toolkit. The Trust settled for £260,000.
At issue was an IT vendor that sold 232 hard drives on eBay, despite them being earmarked for destruction because they contained the medical records of over 67,000 patients.
Aston Information Security director Jason Parker-Smith warns contractors not to skip the official Information Government Toolkit procedures for vetting IT vendors, or they could face claims for negligence if their client is fined as a result: “The NHS Information Governance Toolkit encourages trusts to audit their commercial third parties that supply services.”
Parker-Smith’s advice to public sector IT contractor project managers is to directly audit IT vendors, or request certification: “The fine signals that [NHS] trusts cannot outsource their accountability for the security of data.
“To reduce their risks trusts should either audit their [suppliers] or insist that if they are providing services that involve data that they are ISO 27001 certified.”
Parker-Smith concludes: “[NHS] Trusts make their next information governance declarations in March [2013]; it will be interesting to see how many have taken actions to reduce the unnecessary exposure of data loss and risk.”