How to Promote Awareness v3 by smythesteven

VIEWS: 0 PAGES: 48

									     Information Security
and Confidentiality in Healthcare




                    November 2007
Introductions
Colin Nolder
 Business Consultant
 Lloyd-Nolder Associates

Chair IST/35 UK Mirror Panel
Information Security

DTI/BSI Principal Expert UK
Information Security

European CEN/TC251
Convenor for Information Security
The Programme
 The background to information
  Security and Confidentiality
 What is it ?

 Why is it needed?

 Why is it important now?

 Who’s taking the lead?

 What can you do?
Health Warning
       The NHS will spend approximately
       £10.4 billion in 2007-8 on collecting,
       processing      and     disseminating
       Information. However when it comes
       to information security the NHS has,
       in the past, fared worst out of all
       business sectors for taking it
       seriously. Some NHS organisations
       could even be breaking the law
       because they are not compliant.
What is Information Security?

              Confidentiality

              Integrity

              Availability
Confidentiality?

   “Information access is confined to
    those with a specified need and
    authority to read and/or change the
    information.”
Integrity?


    “Information accuracy and
     completeness is safeguarded.”
Availability?

   “Information is available to
     authorised users, when and where
     required.”
“Between You and
     Me…”
Why is information security
needed 1?
              Legislation
              NHS Policy

              Professional Codes of
               Practice
              Standards

              Information Governance
               Toolkit
              Data Sharing

              Incidents
                  Legislation

   Over 100 Acts of Parliament,
    Statutory Instruments,
    Regulations, Orders in Council

   More than 20 EU Treaty Articles,
    Directives, Decisions, Proposals

   8 Other International Agreements
    and Conventions (Council of
    Europe, UN, WHO)
             Legislation
•Computer Misuse Act (1990)
•Data Protection Act (1998)
•Human Rights Act (1998)
•Crime and Disorder Act (1998)
•Electronic Communications (2000)
•Freedom of Information Act (2000)
•RIP Act (2000)
•Health & Social Care Act (2001)
•Civil Contingencies Act (2004)
•Common Law
Freedom of Information Act
(2000)
    Since 1st January 2005 an individual
     has:
     - The right to be told whether the
       information exists.
  -    The right to receive the
       information.
  Puts a legal requirement on NHS
   organisations to publish and share
   information
               “The NHS will respect
               the confidentiality of
               individual patients and
The NHS Plan   provide open access to
               information about
               services, treatment and
               performance”
Corporate Governance          Clinical Governance


                 Information
                   Security
                       and
                Confidentiality
  Legislation                         Standards


                Policy & Guidance
Clinical governance
                            Corporate
                           governance
    The Caldicott
     Committee

 Report on the Review of
 Patient-Identifiable             Data
 Information                  Protection Act
                                  1998
 December 1997                    CHAPTER 29




                                    £10.00
Policy and Guidance
       • Caldicott Report
       • Standards for Better Health
       • Information Governance
         Toolkit
       • NHS Confidentiality Code of
         Practice
       • NHS Consent Policy
       • Guidance Use and
         disclosure
       • Trust Policies
Codes of Professional
Practice
        GMC Duties of a Doctor
        GMC Confidentiality: Protecting
         and Providing Information
                  www.gmc-uk.org/guidance/library

          BMA Guidance on Confidentiality
           and Disclosure of Health
           Information
            www.bma.org.uk/ap.nsf/content/confidentiality

          MRC Personal Information in
           Medical Research
                    www.mrc.ac.uk/pdf-pimr.pdf
    Standards
 BS7799 (ISO 27002) Information
  Security Management
 Healthcare Commission:
  Standards for Better Health
 NHS Information Governance
  Toolkit
 NHS Information Standards
  Board (ISB) Approved Standards
 CEN TC251 Standards

 ISO TC215 Standards

 HL7 Standards
NHS Information Governance
          Toolkit
     Matching Requirements V5
            June 2007
   Information Governance Management
   Confidentiality and Data Protection
    Assurance
   Information Security Assurance
   Clinical Information Assurance
   Secondary Use Assurance
   Corporate Information Assurance
IT Security Breaches in the NHS
Estimated Trusts %having incidence of breaches - using extrapolated
                           information



   90
   80
   70
   60
   50
   40                                                    Trusts

   30
   20
   10
    0
        1994/95   1996/97   1998/99   2000/01
Types of Incidents within
NHS Organisations

 Virus infection
 Staff misuse and disclosure

 Attempts at unauthorised
  access
 Theft and fraud

 Data error or corruption

 Accidental loss
What do the papers say?
 Unauthorised copies of medical records
 Unauthorised alterations to medical
  records
 Loss of medical records

 Inaccurate or wrong treatment

 Loss of critical systems

 Financial loss and legal liability
    Why is information security
    needed 2?
    To reduce the risk of:

 Disruption to Trusts’ business
 Breaches of confidentiality
   – personal privacy
   – organisational confidentiality
 Financial loss
 Failure to meet legal obligations
 Embarrassment to SHAs and Trusts
              Risk

 Why is it    Management
Important
              NHS CfH
  Now?        National
              Programme

              IM&T   usage
Why is it Important Now?
Risk Management
          Chief Executives of NHS
          Trusts have been required
          since 1st April 2000 to do
          their “reasonable best” to
          protect patients, public,
          staff and stakeholders from
          risks of all kinds.
          Department of Health : HSC 1999/123a
          Risk management and Organisational
          Controls: 1999
Why is it Important Now?
  NHS Connecting for Health’s
    National Programme for IT
      for the NHS in England
Initial investment of £6.2 billion + 4% of total
  NHS budget pa (currently £4.2 billion pa)
    + Local expenditure of £1 bn pa =
      Approximately £ 90bn by 2010
  NHS Connecting for Health’s
   National Programme for IT
  5 Clusters
 Local Service
   Providers
Local Ownership
  Programme
 National Programme for IT (NPfIT)
            Core Services
                from NASP
        New NHS-Wide Network (N3)
Linking 300 Hospital Trusts and 8000 General
   Practices to support NHS Care Records
                   Service
   NHS Connecting for Health’s
    National Programme for IT

     Core Services from LSPs
• Care Records Service (CRS)
• Choose’n Book
• Electronic Transfer of Prescriptions
• Picture Archiving Communication System
• Email and Directory service
NHSnet & the New National
Network (N3)

 • National Infrastructure Service
 • Provides the physical infrastructure,
 intelligent network services and demand and
 requirement analysis
 • End-to-end service and single point of contact
 • Secure network with links to other networks
 • Available at every site where NHS services are
 delivered or managed.
Why is it Important Now?

 More reliance on information
 More clinical use of IT

 Caldicott implementation

 Implementation of Data Protection Act 1998
        NHS Organisations were
         inadequately protected
Of NHS Trusts in England:

• Only just over half had up-to-date Information Security
  Policies

• Less than one fifth had comprehensive Security
  Awareness programmes

• Less than one third had taken proper cognisance of
  legislation other than Data Protection Act

• Less than ten per cent had completed their ISO 17799
  Surveys and Action Plans
Who’s taking the lead ?
 Caldicott Guardian
 Head of Information
  Governance
 Data Protection Officer

 Information Security
  Manager
“Between You and
     Me…”

The Issues
     The key message!

   Information Security
       (like Health & Safety)


is everyone's responsibility!
   Information Security

       (like Health & Safety)

is everyone's responsibility!
      This means you!
           What can you do?

• Adhere to trust policies
• Apply access controls

• Secure trust assets

• Report incidents

• Review personal practice
Adhere to Trust Information
Security Policies
 Specify Trust responsibilities
 Have Senior Management support

 Provide frameworks of standards

  and procedures
 Incident procedures

 email

 Internet use
Apply physical access controls
 Challenge inappropriate behaviour
 Prevent misuse of data and software

 Stop unauthorised access

 Document authorisation

 Protect your password
Access Controls for the NHS
Care Records Service
            NHS Connecting for Health
            are using Role Based
            Access Control based on
            Smart Cards and
            Pseudonymisation.
Secure trust assets

 Sitethem carefully
 Lock them away when
  unattended
 Protect off site equipment

 Dispose   of properly
       Hot off the Press!
The Information Commissioner announced on
 15th November 2007 a new criminal offence
 “knowingly or recklessly flouting Data
 Protection principles”

   The Information Commissioner said “If a
 doctor or hospital employee leaves a laptop
 containing patient records in his car and it is
       stolen, that is gross negligence”
        Report incidents
  Report any event which has
  resulted, or could result in :

• Disclosure of personal data
• Password infringements
• Virus infections
• Access to offensive web sites
Sources of Information


              Department of Health
               www.dh.gov.uk

              NHS Connecting for Health
               www.connectingfor health.nhs.uk

              Information Commissioner
               www.informationcommissioner.gov.uk
Questions and
Answers

								
To top