ECRI Institute, one of the leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards.
The information we handle
What’s the point of information governance? This was a question overheard on the rush hour train from Preston to London on 1 October 2014. This is actually a good starting question.
As an information security professional within the NHS, the first thing I had noticed when I started the job of head of information governance, was that information governance within the NHS always seemed to be perceived as an obstacle. My fellow passenger certainly seemed to consider it so, but why? Information governance as a concept was introduced into the NHS by the Department of Health in 2003. Its basis was a statutory administrative return based around a performance assessment tool with supporting guidance and training. So what, in the NHS, is information governance?
The Health and Social Care Information Centre (HSCIC) supplies this current definition:“Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information.” information governance includes all aspects of information legislation, information statutes and principles, records management, IT security and information security.
The six original Caldicott Principles instruct; don’t use patient identifiable information unless it is necessary; use the minimum necessary patient‑identifiable information; access to patient identifiable information should be on a strict need‑to‑know basis; everyone with access to patient identifiable information should be aware of their responsibilities; understand and comply with the law.
And the three principles of information security are confidentiality, integrity and availability.
Keeping it simple
The scale of information governance is a lot to handle for an information security professional never mind a busy doctor, nurse, domestic or carer. Can this all be simplified and made into one clear message that is relevant to NHS staff? For the last 18 months I have been asking two simple questions to groups of clinicians, administrators, ancillary staff, mangers and NHS senior staff.
Firstly, what is information governance? Staff generally answer this question as: “It is about keeping information secure, not losing or revealing it inappropriately.” This response shows that 11 years of information governance training and communication has raised awareness about confidentiality.
And secondly, what is information? Now this question had a much more interesting response. A large number of blank faces, occasionally “It’s your clinical record”, and on just two occasions, “it’s everything”which is not wrong. Information is like gravity, it is all around you, it affects absolutely everything you do and it is only really noticed when sensitive information is released inappropriately, when critical information is inaccurate, leading to serious incident or when relevant information is not available when required. If individuals don’t know what information is, how can information professionals be confident that we are governing it appropriately? At this point do we, as information professionals, care? After all people seem to understand confidentiality.
Care is a good word
As a noun it is the fundamental basis of the patient based work carried out by the NHS, and it is fundamental to the appropriate governance of information. If you return to the three information security principles, information governance seems to have successfully covered confidentiality. However the principles of integrity and availability have thus far not been commented on. Within my organisation, integrity is handled through a dedicated data quality work stream, with regular information governance involvement as a stakeholder. Our data quality work stream has been running for over twenty years, and it significantly predates the IG toolkit.
However, what about availability? Where an individual service requires information that is not passed to them, they simply collect it again by asking the patient, or phoning the GP, or the care home. This does produce data duplication but it does facilitate patient care in spite of the administrative overhead. But when care moves out of individual organisations, we have all witnessed incidents where appropriate information is not supplied. This failure to share information with appropriately authorised individuals has led to very serious adverse patient incidents. So why don’t we share information? I have asked the question, and received a selection of answers: the information is in a paper-based system and we do not have the resources to duplicate it; we do not have the technical ability to share electronic information or the resources to implement new technology; it is not cost effective to implement an electronic solution; information governance says that we can’t.
The final answer also answers our starting question – ‘information governance says that we can’t’ – it does not matter if this answer has been provided by a professional or has been assumed by a member of staff in the name of ‘confidentiality’. Information governance has effectively become an obstacle, potentially a toxic brand. So can one turn the governance agenda from security and confidentiality to a basis of information being shared appropriately? Do we have the vision to facilitate the delivery of better, more economically sound patient care whilst ensuring appropriate, efficient, information controls? The Wrightington, Wigan and Leigh Information Governance Service made a start at the recent ‘Think Information Day’ held at the Trust’s Education Centre in Wigan. The term ‘Information Governance’ was mentioned only twice. People were encouraged to think where the organisation is with regards to its current information, how things will change with the introduction of electronic information systems in the future and how this impacts on patient care across a wider health economy where the Trust must share patient information with partner organisations. Staff were encouraged to think about how they use information, and how the information they handle effects the operation of the organisation and the care of their patients. We were proud to announce a Wigan Borough information‑sharing programme under the “Share to Care” branding, which will start with appropriate legal protection and build information sharing on what will be a secure digital platform.
The information you handle
Sharing information to facilitate care is vital for the future of the NHS as a whole. So, if information governance is to be effective going forwards, should we consider moving away from pressing the message of security and confidentiality? Instead should we encourage people to consider the information they handle, the impact the information has on the organisation and our ability to revolutionise patient care by providing the right information to the right person at the right time? By making care the driving terminology can we better engage with those people who do not recognise information for what it is and who may not perceive information governance in a positive light. We could start by updating the information governance definition: information governance ensures the appropriate use and sharing of clinical and personal identifiable information with appropriate safeguards.
We could rearrange the three information security principles; availability, integrity and confidentiality. In doing this, information governance becomes a facilitator rather than a restrictor. We do not have to, in any way, abandon our principles of confidentiality and integrity, instead we prioritise principles, assess the requirements and offer solutions that will ensure appropriate, auditable, information sharing. Finally, we could re-publicise the recent 7th Caldicott Principle; that the duty to share information can be as important as the duty to protect patient confidentiality.
Now we can start two new staff questions?
As a member of staff, do you have easy access to appropriate, accurate information to allow you to perform your job?
When you have finished your job and the on-going tasks have become the responsibility of the next service or person in the chain of care, do they have the information they need to carry out their job?
Health and Care organisations need to care about information as much as we do about patients. Through a slight alteration to definitions and a simple re-prioritisation of principles we can build a governance structure that will be able to provide confidence to everybody about the state of health information for the foreseeable future?