Plans for the NHS to ‘axe the fax’ to improve cybersecurity and patient safety have been welcomed by industry experts.
The NHS has been banned from buying fax machines as part of plans for trusts to invest in new technology to replace outdated systems.
The ban takes effect from January 2019 and fax machines are set to be phased out by March 31 2020. NHS organisations will be monitored on a quarterly basis until they declare themselves ‘fax free’.
A freedom of information request revealed in July that more than 8,000 fax machines are still being used by the NHS in England.
From April, NHS organisations will be required to use modern communication methods, such as secure email, to improve patient safety and cybersecurity.
It is part of the Health and Social Care Secretary’s tech vision, to modernise the health service and make it easier for NHS organisations to introduce innovative technologies.
Health and Social Care Secretary Matt Hancock said: “Because I love the NHS, I want to bring it into the 21st century and use the very best technology available. We’ve got to get the basics right, like having computers that work and getting rid of the archaic fax machines still used across the NHS when everywhere else got rid of them years ago.
“I am instructing the NHS to stop buying fax machines and I’m setting a deadline for getting rid of them altogether. Email is much more secure and miles more effective than fax machines. The NHS can be the best in the world – and we can start with getting rid of fax machines.”
Richard Kerr, Chair of the Royal College of Surgeons Commission on the Future of Surgery, said that earlier this year, work undertaken for the RCS’s Commission on the Future of Surgery revealed that NHS hospital trusts own more than 8,000 fax machines.
He said: “This is absurd. Advances in Artificial Intelligence, genomics and imaging for healthcare promise exciting benefits for patients. As these digital technologies begin to play a bigger part in how we deliver healthcare it is crucial that we invest in better ways of communicating the vast amount of patient information that is going to be generated.
“Most other organisations scrapped fax machines in the early 2000s and it is high time the NHS caught up. The RCS supports the ban on fax machines that will come into place in March 2020.
“Since we published our data on NHS fax machines, we’ve seen a number of trusts pledge to ‘axe the fax’. They have proved that, with the right will and support, it is possible to modernise NHS communications.”
Commenting on the ban, Tony Pepper, CEO of Egress Software, said it was difficult to believe that such an ‘outdated’ and ‘insecure’ system was still being used by the NHS, considering the confidentiality of the information contained within patient records.
He said: “According to the BBC, as many as 9,000 fax machines were still in use as of July 2018, which should set alarm bells ringing about the scale of this issue. We know from attacks like WannaCry that healthcare organisations are a significant target for cybercriminals – but this news also shows that more needs to be done to improve the NHS’s internal security posture, particularly when it comes to electronic communication and data sharing.”
He highlighted the ICO’s latest trend report which showed that disclosure of data and a lack of security were the two highest causes of data security incidents in the healthcare sector between July and September 2018.
“Fax machines provide a large surface area for human error and consequently data breaches when used to transfer sensitive data, as they can’t offer assurance over how the data is picked up and used at the receiving end, or a safety net to allow for user error when dialling. When used to transfer confidential information, there is a significant risk of a data breach,” he said.
“With the mandate to phase out fax machines by 2020 and the recommendation to use email encryption instead, the NHS has the opportunity to close this gap in their data security.”
He added: “The NHS has a responsibility to guarantee that patient information is always securely collected, stored and shared. To achieve this, it must first understand the sensitivity of the data it controls, subsequently applying a combination of encryption, rights management, Machine Learning and policy-based access control to ensure that personal information remains secure. Employees also need to be educated, ensuring that the risk posed by the weakest link in the technology ecosystem – the user – is mitigated.”