Last week, a London HIV clinic hit the headlines: in emailing service users en-masse with a newsletter, the service inadvertently emailed all clients, with names and email addresses visible to all recipients.
Like the majority of information security breaches, this was not the result of a clever hack. Many media outlets have reported this breach as being the result of “human error” as the email addresses were entered entering into the CC (Carbon Copy) rather the BCC (Blind Carbon Copy) field. By viewing the incident from this angle alone, copying and pasting into the wrong field is human error, but fails to understand that doing so is bad practice, and one which occurs due to lack of knowledge and understanding about information security.
Email can be a powerful tool for communication, and computerised databases allow us to handle information easily and effectively, but both can be crippled as a result of human users failing to understand the significance of information security, and designing systems and processes which rely on human involvement where there should be none.
Blind Carbon Copy, the function relied on by the clinic can be implemented in several ways, but the most common one is that where the BCC recipient sees only their own email address in this field. In certain situations, it is possible for users to see other BCC recipients. The security of the function depends on the implementation. A good security feature would be to use mail software that flags the use of the carbon copy field as potentially inappropriate for disseminating emails to many people, but this might not prevent leakage altogether.
It also wouldn’t address the fact that modern data management should avoid copying and pasting email addresses into emails meant for multiple recipients altogether. Plenty of off-the-peg systems exist that will automate the sending of emails to multiple clients as individuals. The concept of in-built mail merge is not a new one, but the function needs to exist within well-designed, working software. How many of us know who to ask to purchase secure software, or how long the approval process takes? If a user is faced with the option of copying-and-pasting, or waiting several weeks for an approved process to be arranged, corners will start to be cut.
All staff working within the NHS need to have, at least, a rudimentary understanding of the principles of information security, and the NHS needs to be able to provide training for them to do so, in addition to make the processes for keeping information security easily available. With increasing fragmentation of the NHS in England, and the cheapest provider chosen for service provision, this could become an increasingly common problem as users and support services diverge further.