In most NHS Trusts, information security is high up the management agenda but low down the budgetary list. This is because the lack of a centralised pot of mandated and ring-fenced funding means that it is competing for money with higher priority issues such as patient care and the National Programme for IT (NPfIT) initiative at the same time that healthcare bodies are trying to balance their books.
The situation is also not helped by the autonomous nature of the Trusts themselves. The fact that each has its own management structure, its own modus operandi and its own budgets to set has resulted in information security funding, resourcing and practice varying widely between them.
But that is not to say that such organisations are unaware of the sensitive nature of patient data or how emotive an issue it is for the public and individuals should it be lost or stolen. Even if the raft of data loss scandals at other public authorities over the last 18 months or so had somehow passed them by, the Information Commissioner’s decision to take enforcement action against eight of their number in recent times certainly has not. Included on the list is Abertawe Bro Morgannwg University NHS Trust, which was asked to sign a formal undertaking to conform to the Data Protection Act after a laptop holding the personal data of 5000 patients was stolen.
| "Data must either be encrypted or not sent at all." |
| David Nicholson |
Knuckling down
The Information Commissioner is not the only one who has been piling on the pressure. In December 2007, following the HMRC data loss scandal, David Nicholson, the NHS’ chief executive, issued a set of instructions on how Trusts should handle the transport and transfer of patient data. With bulk transfers of more than 50 patient records to internal departments, other Trusts or third party agencies such as social services, Nicholson indicated that data must either be encrypted or not sent at all.
One organisation that has been looking at ways of securing data in transit as a result is Aintree University Hospitals NHS Trust. Last year, it undertook a three-week audit of its data flows to prepare for the introduction of an electronic records system and, as part of the project, drew up a map to show where its information was coming from and going to.
Ward Priestman, director of informatics at the Trust, says: “The first stage is to map where your data is going as you need to be assured that you’re not sending it out unnecessarily. It also helps you to focus resources on areas of weakness so you can work through any issues that have been highlighted.”
The body has since encrypted the hard disks of all of its laptops and mobile devices using the Connecting for Health recommended product, McAfee’s SafeBoot. It is also currently undertaking an amnesty for the 1000 or so clinical and admin staff that use USBs to replace them with Network Defence’s SafeStick encrypted memory sticks. Unauthorised USBs were banned as of 1 April 2009.
The next step is to ensure that all unused information is deleted and that redundant data repositories are decommissioned in line with the Data Protection Act. But as Priestman points out: “People hang onto data for comfort purposes even if they no longer need to, so ensuring that all redundant data is deleted can be quite a difficult concept for them.” A newly-appointed information security manager will work with individual departments to help them tackle the issue, however.
Data in transit
While much of the focus in information security terms last year was, and in the year ahead will continue to be, about addressing the ‘data in transit’ challenge, another preoccupation relates to complying with the rules for connecting to the NHS-wide N3 broadband network.
| "There's no way that just introducing encryption is the answer to everyone's security prayers. Security has to be a part of everything you do." |
Neil Yeomans, partner of enterprise risk services at Deloitte, explains: “How much work this takes will vary depending on where people are, but issues around patient data flows and the Information Governance Statement of Compliance (IGSoC) will both form the backdrop to Trusts’ priorities from a security point of view.”
The IGSoC is a subset of the self-certification-based Information Governance standards, which lay down how Trusts should manage their data. In order to use services from Connecting for Health, the government agency in charge of NPfIT, and particularly the N3 element, the most senior Trust manager must have signed an IGSoC declaration by 31 March 2009 certifying that it is meeting ? or is working towards meeting ? prescribed security requirements within agreed timescales.
Such requirements include achieving or working towards obtaining ISO27001 information assurance accreditation, agreeing not to store or process patient or other sensitive data offshore, and introducing change control notification procedures and approval processes.
Pressure to conform fully to IGSoC is mounting as Connecting for Health is expected to start undertaking audits to validate self-certification claims over the next 12 to 18 months. One organisation that is well on the way is Newcastle-upon-Tyne Hospitals NHS Foundation Trust. It is in the process of implementing a single sign-on (SSO) system from Imprivata to enable staff to access both buildings and IT systems using a smartcard that also acts as an identity card.
The move followed the ongoing consolidation of services from three hospitals to new facilities at the Freeman and Royal Victoria Infirmary under a Private Finance Initiative valued at £340 million. It was also spurred on by the decision to roll out a new electronic patient records system at the same time.
Michael Mythen, deputy head of information management and technology at the Trust, explains: “The system will give us a means of enabling strong authenticated access as well as providing us with a full audit trail of who is accessing what equipment or building. Also, in terms of Connecting for Health, no one will be able to access their systems without a smartcard, which means that we’re complying with its demands too.”
The government agency has stipulated that health bodies wanting in future to access Summary Care Records of patients from across country - which will be held in a centralised ‘Spine’ database - can only access the system using a smartcard. While many Trusts are currently in the process of digitising their own patient information in anticipation of making the summarised record available, others are starting to pilot their own smartcard-based SSO projects, although the market is still in its early days.
Not without hurdles
As to potential challenges faced when going down this route, one of the biggest met by Newcastle was “culturally, in bringing three disparate elements together”, says Mythen. These elements comprised the HR department, which was required to identify and define staff roles and responsibilities; the IT department to handle systems-related issues, and physical security experts to deal with issues surrounding building access.
| "The system will give us a means of enabling strong authenticated access as well as providing us with a full audit trail of who is accessing what equipment or building." |
This resulted in the creation of a multi-disciplinary team, which included representatives from each group to handle planning and implementation as well as end-users to provide input and feedback. Once job definitions were agreed, three staff databases were subsequently amalgamated and their data cleansed to ensure information integrity and consistency in a big project that took nearly 10 months.
In the case of most Trusts, however, Mike Gillespie, director of security consultancy Advent IM, believes that “implementing ISO27001 (as stipulated in IGSoC) would help them meet 95%” of their information security obligations.
One of the current key problems, he points out, is that “very few Trusts have someone at senior management level with responsibility for information risk, which means that undertaking risk assessment and management is not on the corporate agenda”. As a result, while the majority focus almost exclusively on safeguarding sensitive patient data, all too often the protection of confidential staff-related and commercial information is “completely overlooked”.
A dedicated committee
One organisation that is attempting to address these very issues, however, is the Mid-Yorkshire NHS Trust. It has just created the strategic role of Senior Risk Officer (SRO) in line with recent Cabinet Officer guidance and is in the process of appointing an existing board member to take it up.
Information owners will report to the SRO and be required to demonstrate how they are complying with information security and governance requirements. The SRO will also head up the organisation’s existing information governance committee, which includes its Caldicott Guardian, who specialises in information governance matters; a clinical information officer, who deals with day-to-day security issues; and a local security management specialist, who focuses on physical security questions.
Paul Curley, clinical director of IT and consultant vascular and general surgeon, says: “The committee has been in place since the Caldicott Guardians were established and it’s been very active in dealing with information security issues in numerous different areas. These range from physical security and electronic systems to creating security havens for faxes should they go astray if someone has misdialled a digit.”
The Trust has also just started the six-month roll out of an electronic document and records management system, which provides clinical staff with access to patient case notes and other information in accordance with the roles defined in their electronic staff record (ESR). These definitions were established last year when the Trust introduced its Bighand 3 dictation and workflow system.
As a further safeguard against unauthorised access, meanwhile, the ESR is hooked into Microsoft’s Active Directory, which means that users are provisioned and de-provisioned automatically when they join or leave the organisation.
“There’s no way that just introducing encryption technology is the answer to everyone’s security prayers. Security has to be part of everything that you do and there simply has to be a coherent strategy around it”, Curley concludes.