Smarter use of patient data offers the potential for more efficient and better-targeted services, but past projects have ended in expensive failure. What’s more, any technological improvement that allows us to better capture and analyse data, also increases the danger that it will be lost, stolen or misused. As the world moves online, the value of this information to criminals increases, and their efforts to obtain it grow in number and sophistication.
Healthcare is responsible for more data breaches than any other UK sector. There were 734 cases in 2014, 517 of which required investigation by the Information Commissioner’s Office (ICO), and year-on-year numbers doubled from 2013 . The United States shows the direction of travel: 91% of healthcare organisations there have suffered at least one data breach in the past two years, and 40% have suffered more than five. Importantly, mistakes and negligence are no longer the principal cause. Criminal attacks have increased by 125% since 2010 ; and hackers steal far more data than is usually lost in error: the recent attack on Excellus involved up to 10 million individual records .
Serious breaches of the Data Protection Act are punishable by fines of up to £500,000. Nearly £6.5 million in fines have been levied for losses of sensitive personal information since 2010, the majority coming from public sector organisations. The largest fine to date, £325,000, came against Brighton and Sussex University Hospitals NHS Trust in 2012 .
In February 2015, the ICO secured the right to subject public healthcare organisations to a compulsory audit. According to the Information Commissioner, “The health service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers… this new power to force our way into the worst performing parts of the health sector gives us the chance to act before a breach occurs.” Meanwhile, fines are set to increase dramatically once the EU’s General Data Protection Regulation is adopted later this year. The new regulations set the limit for financial penalties at €20 million.
The Information Governance Toolkit is the Department of Health’s response to the need for better control of sensitive information. All organisations with access to NHS patient data must demonstrate good information governance through use of the Toolkit. However, surveys in early 2015 found that fewer than 40% of respondents felt it met their needs. Senior managers did not see the Toolkit as supporting good governance or helping them to discharge their legal obligations. In fact, most organisations believe that they could devise a superior compliance regime themselves.
This attitude is short-sighted. NHS leaders must accept that regulatory bodies, and the public, have become much less tolerant of shortcomings in security; and understand that technology can unlock the value of the IG Toolkit, by supplying the missing management layer. A well-designed platform will provide demonstrable control over information assets and data flows; highlight key risk areas; and reduce both the administrative burden of compliance and the risk of data losses – and costly fines – due to mismanagement and human error. Of course, software is only part of the equation. No organisation should expect to purchase their information governance ‘off the shelf’, but since 90-95% of IG Toolkit requirements are the same for most NHS organisations, there is considerable potential for efficiency savings.
Commenting on the cloud-based Information Asset Register that Northern Devon Healthcare NHS Trust has recently implemented, Phil Bradshaw, Information Governance Officer at the Trust, said: “The new register is fully integrated with information about confidential data flows and risk assessments. It supports and provides evidence for at least 11 NHS IG Toolkit requirements. This provides major advantages for efficiency and effectiveness. In terms of efficiency, by devolving maintenance of the register and automating approval and review processes it requires substantially less commitment of time resource compared to managing a register by collection, collation and reminder. In terms of effectiveness, it more directly involves asset owners and administrators in approving and reviewing controls relating to the assets, and through its reporting and drill down functions enables a clear oversight for the Information Governance team, senior management and the SIRO which will enable some of those Toolkit requirements to improve to level three compliance.”
With a more proactive approach, the NHS could lead the way in information governance. NHS England and North Devon Healthcare Trust have already implemented new technology solutions, and if other organisations follow suit, the NHS may become world-class for data security and utilisation.
References: http://www.computerworlduk.com/news/security/data-breaches-in-uk-healthcare-sector-double-since-2013-ico-numbers-show-3589814/ http://www.esecurityplanet.com/network-security/91-percent-of-healthcare-organizations-suffered-data-breaches-in-the-past-two-years.html http://www.infoworld.com/article/2983634/security/why-hackers-want-your-health-care-data-breaches-most-of-all.html https://ico.org.uk/action-weve-taken/enforcement/ and http://breachwatch.com/ico-fines/ https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/02/ico-given-new-powers-to-audit-nhs/ http://systems.hscic.gov.uk/infogov/iga/news/surveysexec.pdf[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][gallery columns="3"]
