As head of data security at NHS Digital, people think my job is about systems and technology. It isn’t. My job is about building public trust, and about supporting others within health and care to do the same.
I am here to put patient care first, just like frontline organisations who deliver that care, and I would urge every organisation I work with to focus widely on building and maintaining public trust, rather than solely on security.
I am unrelenting in my belief that one way we can improve patient outcomes is through digital patient information. This move to digital, which is happening across all aspects of our lives, can help to transform health and care, but it needs to have the right safeguards and controls in place.
The government has just published its response to the National Data Guardian Review on data security, opt-outs and consent, which endorses a set of new data security standards for health and care.
10 standards to underpin safe data sharing
The standards exist to help organisations to safely share information appropriately and to ensure that they understand their responsibilities for keeping information safe. Additionally, the standards provide a supporting framework to ensure that information remains secure and to act as a set of guiding principles for health and care organisations.
The standards are common sense, but when they are looked at in the round, they are more about maintaining trust than focussing on in-depth security principles or overly technical comprehension. This is exactly as it should be if these standards are to become an integral part of the way health and care organisations operate.
Just consider standards 1 and 2.
Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Understanding responsibilities
The focus is on how we handle information, understanding our responsibilities and ensuring we avoid breaches. The other eight standards continue this theme and they will help to drive an enhanced culture of data security across the health and care system.
I entirely support the content and intention of the standards, but they will not in themselves drive improvement and they should not be seen in isolation or in a silo. Instead they need to be seen as a key part of a system-wide, integrated approach to realising the recommendations of the National Data Guardian Review.
So how does this work in practice, and how are central NHS organisations helping care providers to apply the standards?
New and refreshed IG Toolkit to address cyber security
Firstly, these standards will form the heart of the new and refreshed IG Toolkit which will be launched later in 2017. The toolkit will ensure the data standards are met and is designed to take into account both physical and cyber security.
The new toolkit will also align with the Care Quality Commission’s increased role in assuring data security as part of their Well-led assessments. This ‘joined-up’ approach is fundamental to ensuring the standards help us build confidence that not only do we secure patient information, but that also we understand its value and importance.
But in developing this project, we have been mindful of the fact that this cannot just be another thing for providers to do. Having worked in the NHS across multiple providers of care I understand increased burden is not welcome. It is crucial that the standards and the toolkit have real meaning and deliver demonstrable value to care providers. With this in mind, all of the partners involved have ensured that these standards replace or remove burden.
Reducing the burden of IG reporting
During the coming year it will become clearer how the new IG toolkit will enable organisations to meet the standards, while focussing on reducing effort but driving value. Similarly, we are working across the system to identify how we can collect information once and use many times, rather than asking organisations within health and care to continue to supply information multiple times for multiple purposes.
I personally welcome the government response on the data security elements of the review and the work going on across the system to ensure these can be embedded. Their adoption is a signal to patients and the public as a whole on our commitment to protect their data.
They are a part of an overall approach to enhancing data security and I look forward to talking more about the wider initiatives as the year progresses. In the interim, the Data Security Centre and it’s CareCERT service, is there to help and support organisations to develop their security and information assurance.
Whilst we are here to help and support, we also know that we can always improve, and we want to actively work with health and care organisations to ensure that our services are designed around user and patient need, and are built iteratively, as part of a wider and continuing conversation about data security.
4 August 2017 @ 09:47
I’ve used email with my patients for many, many years – they all have my address and can use it as they see fit. They know the “rules” (e.g. nothing urgent).
And they all know the risks of cleartext email, and they all have the option of encryption ( http://www.tinyurl.com/drnbencrypt ). But in all those years, not one patient has chosen to request encrypted communication with me. Ever.
It’s their choice, if they know the risks. I guess the convenience & overwhelming benefits of being able to communicate with their GP by email far outweigh the risks of GCHQ or the NSA eavesdropping on them telling me that their shoulder is no better and can I refer them to physio as discussed.
1 August 2017 @ 22:25
These are not new .
What is frustrating as a patient is that so many NHS organisations say we cannot do this that or the other because of “security”, especially email. This is complete non-sense.
If there is one standard that is ignored time and time again it is consent. Consent is king and trumps anything else. You can transmit my health records via facebook as long as you get my informed consent.
This has not really changed since the incarnation of the DPA and under GDPR it won’t change much either although it must now be explicit and informed and will be enforced with touch punitive measures from the EU. Lets hope that wakes the NHS up.
It is with first hand experience that I can say patients have suffered and died as a result of this failure to understand the basic but most fundamental principle of the data protection act.
In order to “First do no harm” you must first learn to share data.
3 August 2017 @ 15:15
Hi there – I think we’re conflating information security and data protection. The two are inexplicably linked but the data standards tend to focus on more of the former. the Gov response covers consent but thats no area or expertise, if I have any!
I agree in what you say, having worked in a few big acuts I know that clinical trumps DPA 9/10 if it can be justified. I know the opt-out side of the report tries to simply consent as much as possible.
Security does not, should not, ever stop sharing. Security should not be used a a barrier and if it is its being done so under false pretences. I have seen in my role examples of people asking for security to agree to block an initiative because they do not agree with the strategy – thats not our role.
Security enables safe effective and legal sharing of information.
If security says no then they’re failing, good security teams say ‘this is how we do this safely’.
3 August 2017 @ 16:54
The NHS certainly is and indeed the scope and bounds of these.
Firstly NHS organizations have told me that they cannot email because data must be encrypted as required by the DPA! The DPA does not lay out any security standards in this regard it certainly doesn’t go as far to say they must be encrypted. The postal service would not function if it did!
Then where we are closer to information security standards such as ISO27001 which the NHS has watered down and called IGSoC we get even more confusion.
Here it does specifically talk about encryption but typically for internal and inter-organization communications. Again this is often confused with patient communications. However, the more harrowing and disturbing element to all of this is the fact that the patient isn’t even a thought in all of it and the NHS often takes leave of its senses.
We have real world situations (some of which I have witnessed) where a patient needs a transfer of care but the recipient hospital needs the patient notes first. Hospital A cannot quickly transfer the notes from A to B because one is using .nhs.uk (a failing in its own right) and it’s not encrypted and they have no other means.
The hospital’s answer is to print everything out and post it (an irony completely lost on them), which takes precious time and resource and adds days sometimes weeks.
So the NHS has yet to understand existing regulation and standards many of which have been more than acceptable and enabled the free flow of information when implemented correctly.
We now have GDPR and a whole bunch of other new ideas coming through often a knee jerk to the likes of WannaCry. GDPR is already being misinterpreted and the NHS is lapping up “GDPR compliance” solutions at great time and expense. It’s an absolute circus.
“New data standards will underpin safe information sharing”:- There is every opportunity to do this right and put the patient first but sadly the best predictor of future behavior is past behavior and in all likelihood this will just be another layer of confusion and barriers.
Most patients suffering or in need would prefer their information be there than bolted down in some NHS silo and their privacy be protected to the nth degree by layers of policies and standards. If there was any doubt ask them, it’s called consent, look it up!
First do no harm? Not when it comes to privacy and security. Encrypt Encrypt Encrypt on pain of death (literally).
24 July 2017 @ 11:28
There is nothing new about these data standards. They have existed within the current toolkit for over 10 years and I am surprised they have suddenly become new because the NDG recommended them. Focus should be on how to build on the current IG toolkit regime and how best the IG toolkit can operationally be implemented in a way that eliminates a box ticking compliance culture. Rewriting the standards without looking at how the underlying culture of operational compliance can be improved will not yield significant improvements.