As we move into a paperless and digital health and care system it becomes ever more important to ensure there are adequate and robust protections in place to secure the data and information held within it. The case for data sharing “still needs to be made to the public” and the issue of data security in health and care organisations needs to be strengthened to similar levels to those seen in the financial sector according to Dame Fiona Caldicott, the National Data Guardian (NDG).
Two reviews commissioned by the Department of Health have been published this month which make recommendations on data security in the health and care system and a new consent/opt-out model for data sharing.
Safe data, safe care
The CQC’s review looked at whether personal health and care information is being used safely and is appropriately protected in NHS hospitals, GP surgeries and dental practices. The regulator found that while there was widespread commitment to data security, staff at all levels faced challenges in translating their commitment into reliable practice. It also found data security systems were not always designed around the needs of frontline staff which has led to staff developing insecure work around solutions. This issue is key as integrated care models develop, improvements must be made to facilitate the sharing of patient information between services.
Ten new data security standards for health and social care
The NDG’s review proposed ten “data security standards” for consultation aimed at strengthening the safeguards for keeping patient health and care information secure, as well as a new consent opt-out model for patient data. Dame Fiona has recommended leaders of all health and social organisations commit to the standards, and evidence this through audit to support inspection by the relevant regulator. The way the standards apply will vary according to the type and size of organisation. For example, commissioners will need to take account of the standards when commissioning services, GPs may want system support from their suppliers to identify and respond to cyber alerts and social care organisations may seek that from their local authority.
The data security standards are grouped into three leadership obligations:
- People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents and near misses.
- Technology: ensure technology is secure and up-to-date.
In addition to the new standards, Dame Fiona has a new opt-out model to make clear how people’s health and care information will be used and in what circumstances they can opt out. The model aims to give people a less complex choice about how their personal confidential information is used.
In response to Dame Fiona’s recommendations, the DH has published a consultation on the new data security standards and the opt out model as a key “aspect of the work must be dialogue with the public” before any implementation can take place. The consultation closes on 7 September 2016.
care.data programme to close
NHS England is to close its controversial data sharing project known as the care.data programme, in light of Dame Fiona’s recommendations. The programme was designed to bring health and social care information from different settings together to see what could be improved. In its statement NHSE said it remains committed to sharing information, as part of the tools of improving the outcomes for patients. This work will be taken forward by the National Information Board, in close collaboration with the primary care community.
Data sharing and security
The NDG and CQC make 13 recommendations to safeguard data. Given their close alignment between the work on data security, three of the recommendations are the same. From every organisation demonstrating clear ownership and responsibility for data security to strengthening data security audit and external validation with the CQC amending its assessment framework and inspection approach to include assurance that appropriate internal and external validation against the new data security standards have been carried and ensuring inspectors involved are appropriately trained.
Dame Fiona says Trusts and CCGs should use an appropriate tool to identify vulnerabilities such as dormant accounts, default passwords and multiple logins from the same account. Also all health and social care organisations should provide evidence they are taking actions to improve cyber security. Additionally NHSE should change its standard financial contracts to require organisations to take account of the data security standards and this should extend to the independent and voluntary sectors too. Where a provider does not meet the standards the contract should not be extended.
There is also a call for the DH to put stronger sanctions in place for malicious or intentional data security breaches and ensure actions to redress breaches proposed in the 2013 Review are implemented effectively.
Citizens have a choice – the new opt-out system
The eight point opt-out model provides individuals with the right to say no to having their personal confidential information being used for anything beyond their direct care. However the opt-out will not apply to anonymised information or where there is a fraud investigation or a public interest element such as tackling the recent Ebola virus.