Act now
The Information Commissioner’s Office can now fine data controllers £500,000 for serious breaches of the Data Protection Act. Yet NHS organisations continue to breach the act on a more or less monthly basis. Daloni Carlisle looks for solutions.
Given the wall to wall press coverage devoted to data breaches, you might have thought that the NHS was now security aware and that we had seen the end of lost laptops and USB sticks containing unencrypted patient records.
But Simon White, associate solicitor at Browne Jacobson Solicitors, and the man that many NHS trusts turn to when things go wrong, says not.
“About once a quarter an NHS doctor puts patient data onto their own laptop. It’s not password protected or encrypted and then the laptop gets stolen,” he says. Then the trust calls him.
“I am surprised by how many times I am asked if they really need to inform the patient. I point out that they have lost their name, address, medical details and the time of their next medical appointment. Do they think there is a chance that the patient might be burgled at just that time?”
Carrots and sticks
True enough, he says, the last year or so has seen a lot of change and some improvement. The NHS Information Governance Toolkit gave trusts the standards for safeguarding patient information and asked them to identify areas of weakness and draw up an action plan to address them.
A new version of the toolkit is being developed in consultation with users, with a publication date set for June 2010. And from March 2011, NHS organisations will be expected to comply with all information governance standards and to provide training for all staff who handle personal information, preferably using the information governance training tool.
Meanwhile, the Department of Health is set to name and shame those who don’t comply: it is working with the Audit Commission on a new information governance focussed audit methodology.
More recently, the Information Commissioner’s Office issued a series of warnings to the effect that if data must be taken off site it must, at the very least, be encrypted. “You are now negligent if you do not encrypt,” says White.
From April 2010, the maximum financial penalty that the ICO can impose for loss of data will jump from £5,000 to £500,000. Hefty fines will be levied for “serious” breaches - and in the case of the NHS that could mean “medical details [being] stolen and an individual suffering worry and anxiety that sensitive data will be made public, even if his concerns do not materialise.”
White predicts that the ICO will make an example of an NHS trust - and do it sooner rather than later. “NHS trusts that are negligent will get clobbered; particularly foundation trusts where I expect Monitor will get involved too,” he says. “Reputation-wise you do not want to be at the end of a fine like that.”
Elegant IT
Yet data breaches continue. Just a fortnight ago, Southampton University Hospitals NHS Foundation Trust became the latest NHS organisation to sign an undertaking to abide by the Data Protection Act after an unencrypted laptop holding 33,000 patient records was stolen from a retinal screening vehicle that had been left unlocked and unattended.
Experts in NHS security say there are several reasons for the lack of progress. The first is that the NHS does not spend enough on security. Mark Pearce of Enterasys Secure Networks , a division of Siemens, says: “Most healthcare organisations continue to focus on and prioritise clinical systems as opposed to IT security.”
Budgets are tight and IT professionals are struggling harder than ever to get the money to fund security initiatives, he says, citing research which shows that healthcare organisations consistently spend less on IT security than retail or financial services companies.
But that’s only part of the story. Alan Hunt, technical director at HyTec, says: “The architecture model proposed by NPfIT in 2003 changed the security model from network security relying on firewalls and encryption to an application security model.”
So, for example, the N3 network was never designed to be secure, relying instead on role-based access to applications and data held by service providers. “It was a great model,” says Hunt. The only problem - it was never delivered. “We were left betwixt and between and now there is a whole lot of re-engineering going on to provide security.”
There are lots of elegant solutions available now, many of them designed to take decisions out of users’ hands. Adam Ataar, network security and operations consultant at NHS Blood and Transplant, says: “Users shouldn’t be given the responsibility for deciding what should and should not be encrypted, or to maintain security policies. These policies have to be enforced by solutions, as transparently as possible from the user’s viewpoint.”
NHSBT has deployed an endpoint security agent from Check Point combining firewall, network access control, program control, anti-virus, anti-spyware, data security and remote access.
For example, each staff member is given their own, fully encrypted 2GB USB hard drive - the use of all other removable media is blocked. “This enables us to keep information information flow fully traceable and secure while enabling users to work efficiently,” says Ataar. The system also provides a VPN client to provide secure remote access to documents and email.
Centralis, meanwhile, is deploying virtualised solutions that can present information to users wherever they are without ever having to transfer it, relying on the 3G network. The company is currently working with NHS Dudley, NHS Kent and Medway, University Hospitals of Leicester NHS Trust and the Royal Marsden NHS Foundation Trust.
“It’s all about putting in multi-layered security,” says managing director Ewen Anderson. “An initial three-layered authentication system can be backed up with intelligence before you can access the system: where are you logging in from and what are you looking at? If it is a trust device, it will give you full access. It is a public PC then it will restrict you to a view only.”
This sort of system can give nurses working in patients’ homes access to appointment systems, provide radiologists on call with view-only images on their home computers and enabled staff in swine-flu quarantine to work from home securely.
Potential limitations
These solutions - and others - are on offer from a range of suppliers, each with their own USP. But Hunt raises some questions about their limitations. It’s all very well taking home a B-crypt USB - until you find it doesn’t work in your son’s home computer and you have to call the IT department. “These sorts of expenses need to be factored in,” he says.
Then, there is the question of whether the NHS Information Governance framework is mandatory or simply guidance to inform locally-made risk assessments. The latter approach is fine for information sharing within an organisation, he says. “It starts to become a problem when you have multiple organisations working together.”
And this, after all, is likely to be the future of healthcare. Hunt has recently been involved in a project to support information sharing between local government and the Department of Work and Pensions. This potentially has knock-on effects for the security considerations when local government starts sharing information with health. “Local government cannot risk its link to DWP with a less secure link to the NHS,” he says.
Or take the GP communicating patient information. “When the GP is sharing information with the primary care trust, he does not have to decide whether it is safe to send because it is all encrypted. But working across departments, for example sending an email to the social care department, he does not know.”
At the end of the day, good information governance is all about understanding risk, agreeing the acceptable level of risk between organisations, managing it and still getting the best and most flexible use out of your system.
a friend