ECRI Institute, one of the leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards.
Building trust in healthcare information
The government has issued its response to the third Caldicott report. Highland Marketing’s Lyn Whitfield looks over the report and the response with Dr Alan Hassey, a member of the National Data Guardian panel, ahead of his appearance at this year’s UK Health Show
Talk about data use or data security in the NHS and one topic invariably comes up: care.data. The project, launched the best part of five years ago, set out to expand the Hospital Episode Statistics and combine them with new data sets, starting with GP data. The idea was to create a resource within the ‘secure safe haven’ of the Health and Social Care Information Centre (now NHS Digital) that would be available to ‘researchers and others’.
Unfortunately, the idea went down badly with privacy campaigners and medics, who worried that the information could be sold to private companies, and that the public was not being told enough about the proposals to give informed consent to them. Alan Hassey, a retired GP who sits on the National Data Guardian panel, says there is no doubt that the episode was a ‘low point’ in attempts to make use of the ‘fantastic resource’ of health data.
The three Caldicott reports
As it became clear that care.data could not proceed, Health Secretary Jeremy Hunt asked Dame Fiona Caldicott, the National Data Guardian, to conduct a review of information governance and security in the NHS. Dame Fiona had already conducted two similar reviews. The first, in 1997, was launched as the NHS started to use information technology, and led to the introduction of Caldicott Guardians at NHS organisations to protect and advise on the use of patient information. The second, in 2013, revisited the earlier report and updated the six Caldicott Principles that it had also introduced for handling identifiable patient information. Importantly, it added a seventh principle: that the duty to share information was sometimes as important as the duty to protect patient confidentiality.
In her third Review of Data Security, Consent and Opt-Outs, published last year, Dame Fiona says it is 'frustrating' that this has led to ‘little positive change’ in the amount of legitimate information sharing that is going on across health and social care. However, she also says that there is now ‘a very significant opportunity to improve the use of data in people’s interests’ while also improving ‘transparency for the public about when their data will be used and when they can opt out of such usage’.
Dr Hassey, who will be talking about Caldicott at the UK Health Show in September, says the theme underlying all of Dame Fiona’s work has been this issue of building trust in how personal, sensitive information is being used.
He says: “We know that people want their records to be available to professionals at the point of care, but we also know they want to exercise some control over how their data is used beyond direct care. With the development of new areas of research, and genomics, and artificial intelligence, there are fantastic opportunities in the use of data; but Dame Fiona’s conviction is that we need to take the public and patients with us.”
Data security standards and cyber steps
The government published its response to Caldicott 3 in July. At the same time, it accepted the findings of a Care Quality Commission report on data security that was published last summer, but given new impetus by the WannaCry ransomware attack that hit the NHS in May.
In effect, therefore, the response falls into three parts. The first agrees to ‘adopt’ ten data security standards set out in Caldicott 3, and to take positive steps to ‘promote’ them in the NHS. NHS Improvement will publish a Statement of Requirements this summer that will clarify the action that organisations need to take.
However, the response says they will include making a named member of the board responsible for data and cyber security and drawing up an annual Statement of Resilience to confirm that the standards are being implemented. In addition, the Care Quality Commission will build compliance with the standards into its new inspection regime, there will be a new Information Governance Toolkit, and new training programmes for staff.
The second part of the response deals with cyber security. It says £21 million of capital funding will be spent to ‘increase the cyber resilience of major trauma centres’ and another £50 million will be spent on ‘addressing structural weaknesses’ such as the widespread use of out of date IT systems in the NHS. It also flags up further investment in NHS Digital’s CareCERT service, which is responsible for sending out alerts about major threats and issuing advice to health and social care organisations.
WannaCry: reasons to be cheerful?
Dr Hassey, whose presentation at the UK Health Show will focus on the role of the ten national data security standards in building public trust, says the WannaCry attack has made the response ‘timely’; and he is confident that it will be acted on.
He says: “If there is something good to come out of the attack, it is that the NHS had the chance to test itself in a situation that had not been war-gamed, and to learn the lessons from that. We know there are a number of reviews going on, and they will come up with checklists of things for organisations to do – and not do – next time. But the most important thing, and the thing that the government response recognises, is that this has to be owned ‘at the top of the house’. This has to be a board-level responsibility.”
Anonymised data: out of the opt-out
The third part of the government’s response deals with the bigger and more contentious part of Caldicott 3; how to make sure that the public and patients are both informed about what is happening to their health data, and how to make sure they have some control over it.
Dame Fiona’s Review of Data Security, Consent and Opt-outs discusses this in the context of both identifiable information and information that has been anonymised or, strictly, de-identified (that has had some elements removed or changed so that what remains cannot be linked to an individual). Some critics of the care.data scheme objected to anonymised data being included; on the grounds that this is still patient data and that it is possible to re-identify it in some circumstances.
However, Dame Fiona argues that this kind of data is so important to the NHS and to researchers that it should not be covered by her new opt-out rules. However, her report also argued there should be tough new penalties for ‘the deliberate and negligent re-identification of individuals’.
The government’s response accepts this. However, to address some of the concerns that GPs raised about care.data, it says ‘NHS Digital will develop and implement a mechanism to de-identify data on collection from GP practices’ – instead of doing this within the NHS Digital ‘safe haven’.
Identifiable data: new rules will apply
Dr Hassey admits that, as a former GP, this move is close to his heart: “GPs are in a different position, both because they are data controllers in their own right, and because they have the interests of their patients very much to heart. So I can completely understand where GPs are coming from.”
When it comes to patient identifiable data, Dame Fiona’s report says there should be a new, national opt-out model, that gives people the chance to opt-out of whether their information is used for research and/or activities to run and regulate the health service. Again, the government’s response accepts this. It also promises that ‘people will be able to access a digital service’ to see who has accessed their NHS Summary Care Record from December next year and how other services are using their data from March 2020.
A cautious welcome
Dame Fiona’s latest proposals, and the government’s response, have been given a cautious welcome by privacy and medical groups. A group of charities that argued strongly in favour of care.data, because of its potential benefit to research, issued a letter saying: “Now the hard work can begin, to address the detailed questions needed for effective implementation.”
MedConfidential, which led the privacy charge against care.data, issued a statement saying: “We welcome the clear commitment that patients will know how their medical records have been used, both for direct care and beyond. Some of the details remain to be worked out, but… it is now up to NHS England and NHS Digital to deliver.”
Interestingly, Dr Hassey feels much the same: the government’s response is good, but ‘the devil in terms of the opt-out will be in the detail of exactly what it will look like’. Specifically, he wonders how people will be informed about where their data is going, since there is plenty of evidence that public understanding of even big and important data stores, such as the cancer registries, is limited at the moment.
Also, how this information will be presented, given that public consultations and citizens juries have shown that people are reluctant to give their information to companies – until they are shown that they will use it for public benefit.
A journey, not a destination
So, is information governance and data security in a better place than it was two-years ago? Dr Hassey thinks it is, because ‘we have a government that knows this is important’ and lots of organisations are on board with the idea that ‘the lessons of care.data have to be learned’. However, there is still work to be done, and some of it won’t be easy.
He asks: “We need to take people with us: but how do you have a conversation with 65 million people? What are their expectations, do the public and patients think the same, how does their knowledge of IT affect their views? The opt-out is a journey, not a destination. In some ways, that journey has only just begun.”
Dr Alan Hassey was a GP in Skipton in North Yorkshire until June 2013. He advises a number of NHS and industry bodies on information governance and security issues, and is a member of Dame Fiona Caldicott’s National Data Guardian panel.
The UK Health Show, taking place on 27 September at Olympia, London, brings together senior healthcare professionals and decision makers together to help the NHS and the wider sector promote and improve service delivery for better healthcare outcomes across the UK.
Over 4,000 delegates will come together to network with peers, engage with suppliers and learn from best practice case studies across four focused show areas; Technology, Commissioning, Procurement and Cyber Security.
Seven Caldicott Principles:
The original Caldicott Principles say: personal confidential information should not be used unless ‘absolutely necessary’; that if it is used, its use should be ‘justified’; and even then, only the ‘minimum necessary’ should be used.
Also, that: access should be on a ‘need to know basis’, everybody who has access should be aware of their responsibilities; and they should comply with the law.
The seventh principle, added in 2013, says: “The duty to share information can be as important as the duty to protect patient confidentiality.”
Ten data security standards:
People: The first three data security standards say: staff should make sure that personal confidential information is handled correctly; that they should understand their obligations; and that they should have appropriate training.
Leadership: The next four standards say: personal confidential information should only be accessible to people who really need it; that security processes should be tested annually; that cyber threats should be identified and addressed; and that plans should be in place for if things go wrong.
Technology: The last three standards say: no unsupported systems, software or internet browsers should be in use in the NHS; that there should be a strategy to protect systems from cyber attacks; and that suppliers should follow these standards.