Information Security and Confidentiality in Healthcare
November 2007
�Introductions
Colin Nolder
Business Consultant Lloyd-Nolder Associates Chair IST/35 UK Mirror Panel Information Security
DTI/BSI Principal Expert UK Information Security European CEN/TC251 Convenor for Information Security
�The Programme
The background to information Security and Confidentiality What is it ? Why is it needed? Why is it important now? Who’s taking the lead? What can you do?
�Health Warning
The NHS will spend approximately £10.4 billion in 2007-8 on collecting, processing and disseminating Information. However when it comes to information security the NHS has, in the past, fared worst out of all business sectors for taking it seriously. Some NHS organisations could even be breaking the law because they are not compliant.
�What is Information Security?
Confidentiality
Integrity Availability
�Confidentiality?
“Information access is confined to those with a specified need and authority to read and/or change the information.”
�Integrity?
“Information accuracy and
completeness is safeguarded.”
�Availability?
“Information is available to
authorised users, when and where required.”
�“Between You and Me…”
�Why is information security needed 1?
Legislation NHS Policy Professional Codes of Practice Standards Information Governance Toolkit Data Sharing Incidents
�Legislation
Over 100 Acts of Parliament, Statutory Instruments, Regulations, Orders in Council More than 20 EU Treaty Articles, Directives, Decisions, Proposals 8 Other International Agreements and Conventions (Council of Europe, UN, WHO)
�Legislation
•Computer Misuse Act (1990) •Data Protection Act (1998) •Human Rights Act (1998) •Crime and Disorder Act (1998) •Electronic Communications (2000) •Freedom of Information Act (2000) •RIP Act (2000) •Health & Social Care Act (2001) •Civil Contingencies Act (2004) •Common Law
�Freedom of Information Act (2000)
Since 1st January 2005 an individual has: - The right to be told whether the
information exists. The right to receive the information. Puts a legal requirement on NHS organisations to publish and share information
�The NHS Plan
“The NHS will respect the confidentiality of individual patients and provide open access to information about services, treatment and performance”
�Corporate Governance
Clinical Governance
Information Security and
Confidentiality
Legislation Policy & Guidance Standards
�Clinical governance
The Caldicott Committee
Report on the Review of Patient-Identifiable Information December 1997
Corporate governance
Data Protection Act 1998
CHAPTER 29
£10.00
�Policy and Guidance
• Caldicott Report • Standards for Better Health • Information Governance Toolkit • NHS Confidentiality Code of Practice
• NHS Consent Policy
• Guidance Use and disclosure
• Trust Policies
�Codes of Professional Practice
GMC Duties of a Doctor GMC Confidentiality: Protecting and Providing Information
www.gmc-uk.org/guidance/library
BMA Guidance on Confidentiality and Disclosure of Health Information
www.bma.org.uk/ap.nsf/content/confidentiality
MRC Personal Information in Medical Research
www.mrc.ac.uk/pdf-pimr.pdf
�Standards
BS7799 (ISO 27002) Information Security Management Healthcare Commission: Standards for Better Health NHS Information Governance Toolkit NHS Information Standards Board (ISB) Approved Standards CEN TC251 Standards ISO TC215 Standards HL7 Standards
�NHS Information Governance Toolkit
Matching Requirements V5 June 2007
Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance
�IT Security Breaches in the NHS
Estimated Trusts %having incidence of breaches - using extrapolated information
90 80 70 60 50 40 30 20 10 0 1994/95 1996/97 1998/99 2000/01 Trusts
�Types of Incidents within NHS Organisations
Virus infection Staff misuse and disclosure Attempts at unauthorised access Theft and fraud Data error or corruption Accidental loss
�What do the papers say?
Unauthorised copies of medical records Unauthorised alterations to medical records Loss of medical records Inaccurate or wrong treatment Loss of critical systems Financial loss and legal liability
���Why is information security needed 2?
To reduce the risk of: Disruption to Trusts’ business Breaches of confidentiality – personal privacy – organisational confidentiality Financial loss Failure to meet legal obligations Embarrassment to SHAs and Trusts
� Risk
Why is it Important Now?
Management
NHS
CfH National Programme usage
IM&T
�Why is it Important Now?
Risk Management
Chief Executives of NHS Trusts have been required since 1st April 2000 to do their “reasonable best” to protect patients, public, staff and stakeholders from risks of all kinds.
Department of Health : HSC 1999/123a Risk management and Organisational Controls: 1999
�Why is it Important Now?
NHS Connecting for Health’s
National Programme for IT for the NHS in England
Initial investment of £6.2 billion + 4% of total NHS budget pa (currently £4.2 billion pa) + Local expenditure of £1 bn pa = Approximately £ 90bn by 2010
�NHS Connecting for Health’s
National Programme for IT
5 Clusters Local Service Providers Local Ownership Programme
�National Programme for IT (NPfIT) Core Services
from NASP
New NHS-Wide Network (N3) Linking 300 Hospital Trusts and 8000 General Practices to support NHS Care Records Service
�NHS Connecting for Health’s National Programme for IT Core Services from LSPs
• Care Records Service (CRS) • Choose’n Book • Electronic Transfer of Prescriptions • Picture Archiving Communication System • Email and Directory service
�NHSnet & the New National Network (N3)
• National Infrastructure Service
• Provides the physical infrastructure,
intelligent network services and demand and requirement analysis
• End-to-end service and single point of contact • Secure network with links to other networks • Available at every site where NHS services are
delivered or managed.
�Why is it Important Now?
More reliance on information More clinical use of IT Caldicott implementation Implementation of Data Protection Act 1998
�NHS Organisations were inadequately protected
Of NHS Trusts in England:
• Only just over half had up-to-date Information Security Policies
• Less than one fifth had comprehensive Security Awareness programmes • Less than one third had taken proper cognisance of legislation other than Data Protection Act • Less than ten per cent had completed their ISO 17799 Surveys and Action Plans
�Who’s taking the lead ?
Guardian Head of Information Governance Data Protection Officer Information Security Manager
Caldicott
�“Between You and Me…” The Issues
�The key message!
Information Security
(like Health & Safety)
is everyone's responsibility!
�Information Security
(like Health & Safety)
is everyone's responsibility! This means you!
�What can you do?
• Adhere to trust policies
• Apply access controls
• Secure trust assets • Report incidents • Review personal practice
�Adhere to Trust Information Security Policies
Specify Trust responsibilities Have Senior Management support Provide frameworks of standards and procedures Incident procedures
email Internet use
�Apply physical access controls
Challenge inappropriate behaviour Prevent misuse of data and software Stop unauthorised access Document authorisation Protect your password
�Access Controls for the NHS Care Records Service
NHS Connecting for Health are using Role Based Access Control based on Smart Cards and Pseudonymisation.
�Secure trust assets
them carefully Lock them away when unattended Protect off site equipment
Dispose Site
of properly
�Hot off the Press!
The Information Commissioner announced on 15th November 2007 a new criminal offence “knowingly or recklessly flouting Data Protection principles”
The Information Commissioner said “If a doctor or hospital employee leaves a laptop containing patient records in his car and it is stolen, that is gross negligence”
�Report incidents
Report any event which has resulted, or could result in :
• Disclosure of personal data • Password infringements • Virus infections • Access to offensive web sites
�Sources of Information
Department of Health
www.dh.gov.uk
NHS Connecting for Health
www.connectingfor health.nhs.uk
Information Commissioner
www.informationcommissioner.gov.uk
�Questions and Answers
�