Last reviewed 29 August 2017
The Department of Health (DH) and its partner organisations state that they are committed to ensuring health and social care systems in England share information in a safe, legal way aligned with existing Caldicott principles and that IT security standards are safeguarded against further cyberattacks. Deborah Bellamy, Primary Care Business Manager, investigates.
This was reinforced by Dame Fiona Caldicott, the National Data Guardian (NDG) for Health and Care: Review of Data Security, Consent and Opt-Outs (2016) and the subsequent public consultation: Care Quality Commission’s Review: Safe Data, Safe Care.
Your Data: Better Security, Better Choice, Better Care (July 2017) is the Government’s response to both documents and pledges to implement the recommendations outlined and provide patients and the public with increased access to and control over personal data.
Forming part of the Government strategy to protect patient data and strengthen against further cyberattacks, investment in data and cyber security will be increased to over £50 million, and include a new £21 million capital fund for major trauma centres.
Review of data security, consent and opt-outs
The NDG’s review of data sharing and security in the health and social care system and subsequent report: Review of Data Security, Consent and Opt-Outs addressed issues around data sharing and considered two key aspects:
whether IT systems used by health and social care services to deliver care and share information are secure and sufficiently robust to security risks
how people can be better informed about the basis upon which their information may appropriately be shared.
New national data security standards were recommended to reinforce the resilience of the health and social care system and provide people with the choice to opt out of their information being used for reasons beyond direct care which has been incorporated into the CQC’s Safe Data, Safe Care.
The NDG’s position will become a statutory requirement with greater sanctions introduced by May 2018 and likely to include harsh penalties for negligent or deliberate re-identification of individuals.
The NDG’s review concluded that risks to essential systems used to deliver care or the loss of personal data undermined public trust. Data security incidents such as the much publicised WannaCry global ransomware attack in May 2017 raised awareness of the potential for cyberattacks to disrupt service delivery.
It became clear that while the NHS could protect essential services, it also needs stronger data security measures and standards to be implemented to enable greater resilience against data and cyber threats.
Learning from the May 2017 ransomware attack
This cyberattack reiterated the potential for further cyber incidents to impact directly on patient care and the need for our health and care system to act decisively to minimise the effect on essential front-line services.
To mitigate immediate risks, NHS Digital is supporting local organisations by:
broadcasting alerts about cyber threats
providing a hotline for dealing with incidents
sharing best practice across the health and care system
carrying out on-site assessments.
Work is ongoing to ascertain a cost effective and speedy way to support the NHS to move from unsupported operating systems, including Windows XP.
The Chief Information Officer (CIO) of the health and social care system has commenced a review, due in October 2017, which will outline further actions considered necessary.
To date, learning outcomes from the recent incident, include the following.
Organisations must implement critical Care Computer Emergency Response Team (CareCERT) alerts, including software patches, and maintain up-to-date anti-virus software. NHS England and NHS Improvement are ensuring critical CareCERT alerts are followed up within 48 hours to confirm that local organisations have implemented essential measures, starting with major trauma units and ambulance trusts with further roll-out planned this summer 2017.
Organisations need to identify and prioritise action to move away from or isolate unsupported systems with a goal to have achieved this by April 2018.
Organisations should ensure boards and staff take cyber threats seriously and work proactively for optimum resilience and to minimise impact on patient care.
The National Data Guardian’s 10 data security standards
The 10 Leadership Obligations outlined in the NDG’s standards need be fulfilled to comply with the existing Caldicott principles. They include the following.
Organisations must proactively prevent data security breaches and respond appropriately to incidents or near misses with regular reviews of processes at least annually.
Individual staff need to be aware of their responsibilities and ensure new training requirements are fulfilled.
Significant cyberattacks must be reported to CareCERT immediately and a continuity plan devised to include significant data breaches or near misses, which is tested annually and reported to senior management.
Technology should be secure and up to date with no unsupported operating systems, software or internet browsers.
A strategy will need to be in place for protecting IT systems which should be reviewed annually.
IT suppliers will be held accountable through contracts for protecting data and required to meet NDG’s data security standards.
The National Data Guardian’s eight-point model
The NDG’s recommendations for giving people choice to opt out of their information being used for purposes beyond their direct care is incorporated into Your Data: Better Security, Better Choice, Better Care. This confirms patients are to be protected by law and that confidential information will only be used where allowed by law and never without consent for marketing or insurance purposes.
Health professionals delivering care need relevant information, but patients may request certain information is not disclosed to others involved in providing care.
Patients have the right to opt out which covers:
personal confidential information being used to provide local services and run the NHS and social care system
personal confidential information being used to support research and improve treatment and care.
The opt out will not apply to anonymised information under the Information Commissioner’s Office (ICO) Code of Practice. By using anonymised data, NHS managers and researchers will be less likely to use people’s personal confidential information and will have fewer justifications in doing so.
Arrangements will continue to cover exceptional circumstances whereby there is a mandatory legal requirement or an overriding public interest to share data.
Outcomes of the CQC consultation made it clear that individual organisations did not feel they had the data and cyber security expertise to make informed decisions about improving their cyber security or to respond appropriately to incidents. It was concluded that lack of expertise needs to be addressed and consideration given on how to increase the availability of such expertise.
Providing support to organisations will be delivered through NHS Digital’s CareCERT service. CareCERT actively monitors health and care networks to analyse threats and broadcasts alerts to support those running health and care IT systems to defend against the latest risks.
The role of the CQC
Data security will form part of the CQC’s assessment of NHS Trusts from September 2017, followed by GPs and adult social care providers in November 2017. The CQC’s inspection framework will need further development which is anticipated by April 2018.
Specific assessment of data and cyber security measures will be undertaken through other assurance frameworks, including the redesigned Information Governance (IG) Toolkit and the wider CareCERT suite of tools.
Information Governance Toolkit
A redesigned IG Toolkit is being developed which should be available in April 2018.This will measure the degree to which individual organisations have embedded the data security standards and used them as part of a scorecard to assess “cyber capability”. It will also provide a national picture of data security across the health and social care system and intelligence for independent assurance processes.
The implementation plan focuses on ensuring organisations are implementing essential security requirements and that local boards and their staff are taking the cyber threat seriously, understanding the direct risks to front-line services and are working proactively to maximise their resilience and minimise impacts on patient care.
There is an ambitious timetable outlined for the next few years which includes that by:
summer 2017, NHS Improvement will publish a new “statement of requirements” which will clarify required action for local organisations, including a requirement for each organisation to have a named executive board member responsible for data and cyber security
December 2018, people will be able to access a digital service to help them understand who has accessed their summary care record
September 2019, NHS Digital will develop and implement a mechanism to de-identify data on collection from GP practices
March 2020, people will be able to use online services to see how their personal confidential data collected by NHS Digital has been used for purposes other than their direct care.
NHS Digital is working with Health Education England (HEE) to develop a staff training package designed to support staff across health and social care to understand their responsibilities for maintaining and sharing data securely and the adhering to the legal framework.
One of the 10 data security standards will require staff to complete appropriate annual data security training and pass a mandatory test which is provided through the redesigned IG Toolkit.
NHS England and NHS Digital plan to engage with professionals and patients to develop communications and guidance to support professionals, practitioners and front-line staff implement the national opt outs. A full timetable of the implementation plan is available as is further detail on the DH website or in Your Data: Better Security, Better Choice, Better Care (July 2017).