View
114
Download
0
Embed Size (px)
Citation preview
Western Sussex Hospitals NHSFoundation Trust
The Challenging and Changing Face of NHS Information GovernanceAndrew HarveyInformation Governance LeadWestern Sussex Hospitals NHS FT
ChairSussex-Wide Information Governance Group
IRMS ConferenceThe Metropole Hotel, Brighton, 17 May 2016
Introduction…
Achieving an
acceptable
definition
The macro
environment –
now and in the
future
The micro
environment
Somewhere
in between Prioritising
the top 2 Methodology
About me
PART 1: Achieving a Definition
Existing definitions (1/2)…
“Allows organisations and individuals to ensure that
personal information is handled legally, securely,
efficiently and effectively, in order to deliver the best
possible care. It additionally enables organisations to put
in place procedures and processes for their corporate
information that support the efficient location and retrieval
of corporate records where and when needed, in
particular to meet requests for information and assist
compliance with Corporate Governance standards.”
Health and Social Care Staff Members: What You
Should Know About Information Governance,
NHS Connecting for Health (2008)
Existing definitions (2/2)…
“The management discipline
that exploits an organisation’s
data whilst associated risks
and costs are minimised.”
David Stone, former Head of
Information Governance,
NHS South East CSU (2014)
“[P]reservation of confidentiality, integrity and
availability of information; in addition, other
properties, such as authenticity,
accountability, non-repudiation, and reliability
can also be involved.”
ISO 27000 (2009), Information Technology
- Security Techniques - Information
Security Management Systems
Getting an acceptable definition…
“Ensuring that the Trust and its staff have a
person-centred approach to managing the
personal and sensitive information of its
patients and staff, treating it and the
organisation’s corporate information in a similar
manner to which they would expect their own
Medical Records or banking information to be
treated.” Andrew Harvey 02/2015,
Western Sussex Hospitals FT’s
Information Governance Mission Statement
No technobable
No jargon
No negativity
Understand-able to staff
Patient-centred
Getting an acceptable definition…
“An enabling discipline to ensure that
the Trust and its staff have a person-
centred approach to managing the
personal and sensitive information of
its patients and staff, treating it and the
organisation’s corporate information in
a similar manner to which they would
expect their own Medical Records or
banking information to be treated.”
No technobable
No jargon
No negativity
Understand-able to staff
Patient-centred
PART 2: The Macro Environment
The Macro environment 2013-16 (1/4)…
Despite IG safeguards in
place, “The history of the
past 15 years does not
inspire confidence”.
Dr Paul Hodgkin, CEO,
Patient Opinion
[Source: The Guardian, 10/04/2014] “The presumption we had a few years
ago [that we have consent to] share
data can no longer be presumed upon.
We have to earn that trust again. We
shouldn’t underestimate the concerns
both from extremely vocal groups and
the public as a whole.”
Kingsley Manning, Chair, HSCIC
[Source: e-Health Insider, 25/06/2014]
The Macro environment 2013-16 (2/4)…
Legislation (1/2): Health
& Social Care Act 2012,
disallowing CCGs to
access PCD for
commissioning purposes:
DSCRO, ASH, CEfF
[Source: www.legislation.gov.uk]
Legislation (2/2): Health &
Social Care (Safety &
Quality) Act 2015:
•Single identifier (NHS #)
•Statutory basis for new
Caldicott principle
[Source: www.legislation.gov.uk]
“The duty to share information can be as important as the duty
to protect patient confidentiality”
Delayed guidance: e.g.
Caldicott 3 Report on NHS
InfoSec and Data Sharing
stalled by EU referendum
[Source: Digital Health Website,
20/04/2016]
The Macro environment 2013-16 (3/4)…
Compulsory ICO DP
audits: From 02/2015, aimed
at cutting number of
breaches; intended as
collaborative / voluntary,
but… [Source: V3 website, 02/02/2015]
Poor programme
management and PR:
e.g. IIGOP advising
Care.Data not fit-for-
purpose but NHS England
going ahead, wasting £1m
[Source: Computing website, 07/01/2015]
Process issues, e.g.
11/2014, HSCIC reviewing
processes for releasing en
masse non-clinical to
police: 2.7k releases in
financial year 2013-14
[Source: e-Health Insider, 09/12/2014]
Outsourcing, e.g. 06/2013
Birmingham-based Diagnostic
Health knowingly breaching
basic IG rules: password
sharing, not encrypting, use of
Google drive[Source: BBC News website, 16/06/2014]
Programme to combine data from GPs and
hospitals to identify areas where more
work or investment
might be needed.
The Macro environment 2013-16 (4/4)…
Leaking data: NHS
England-approved
apps flout privacy
standards[Source: BBC News website,
25/09/2015]
More lack of consistency:
•NHS England moving
Medical Records without
consent
•ICO advising not sharing
when needed is a breach
[Sources: BBC News website, 04/09/2015;
Digital Health website, 15/10/2015]
Lack of consistency, e.g.
ICO fines 2 HIV clinic
email breaches differently:
£250 v £180k
[Sources: Computing website, 21/12/2015;
BBC News website, 09/05/2016]
Not all challenges:
Positives for IT :
•Carter: Meaningful use
•Government promises
>£4bn over 5 years
[Sources: Digital Health website,
08/02/2016 and 09/02/2016]
A big Macro problem: conflict re DoH push for digitalisation…
CareCERT, new
HSCIC cyber
security service from
01/2016[Source: Digital Health website,
03/09/2015]
Push for
digitalisation, e.g.
The Power of
Information
strategy, 05/2012
[Source: www.gov.uk]
02/2015, Dawn Monaghan,
former ICO Public Sector
Group Manager: cyber
attacks and ID theft will
increase as more patient data
online [Source: V3 website, 10/02/2015]
NHS England promises
full records access by
2018 – GPs largely
achieved it with DCR
by 03/2016[Sources: Digital Health website,
17/06/2015 and 22/03/2016]
Patients able to add
data from wearable
devices, e.g. Fitbit, to
their electronic patient
record by 2018
[Source: Digital Health website,
24/06/2015]
The Macro environment: unhelpful publicity…
Secretary of State for
Health: Jeremy Hunt,
publishes photo on
Twitter including
patients’ names
[Source: The Telegraph,18/07/2015]
Unfortunate (or
deliberate?) timing: HSCIC
receives ICO Undertaking for
failing to comply with patient
opt outs… same day change
name to ‘NHS Digital’
[Sources: ICO Website, 20/04/2016;
www.gov.uk Website 20/04/2016]
The Macro environment looking forward: GDPR
• Content agreed
• 2 year run in to
05/2018
• 13 changes
impacting NHS
[Sources: ICO 12 Steps (2016); PDP Compliance (05/04/2016); Dilys Jones Associates Ltd (18/01/2016) and Silicone Republic (04/04/2016)]
1. Accountability
to the DP
principles 2. Consent 3. Data
breaches 4. Data
portability 5. Data
processors 6. DP by design
7. DP Officer 8. Erasure of
information 9. Higher fines 10. Information
asset
management 11. Privacy
notices 12. Sensitive
personal data 13. Subject
access 2. Consent
•Stronger rights to delete
•Freely given, informed
•Not implied
•Verifying ages of children
•Joined up work: IG and clinical4. Data Portability
•Transferring data between
services
•Recognisable format
•Joined up work: IG and IT
5. Data Processors
•Notifying DCs of breaches
•Will it happen?
•Write into contracts
•Joined up work: IG,
Contracting and Procurement
8. Erasure of information
•Totally clear what it means?
•What can we delete?
•Records Management CoP
•Technicalities
•Joined up work: IG and IT
9. Higher fines
•2 tiers
•Highest up to €20m / 4%
previous year’s turnover – Trust
of £400m = £16m!
•Review IG Toolkit controls and
undertake gap analysis
13. Subject access
•Shorter response times
•Free – no backfill
•Possibility to refuse
•Cost benefit analysis of
accessing Medical Records
online – promoted anyway
• Clarification for NHS needed:
ICO, HSCIC, IGA, NDG
• Huge amounts of work!
• DPIA should be happening –
Cabinet Office
• Positive: creating more
joined up working !
My mortgage keeps
getting paid!
PART 3: The Micro Environment
Overview of the Micro environment…
Big Brother Watch, 2014
2011-2014: 7,255 NHS incidents.
•3.46% (251) = inappropriate sharing
with third party
•3.25% (236) = data shared by email,
letter or fax
•1.42% (103) = lost or stolen
•0.69% (50) = social media
[Source: BBC News website, 14/11/2014]
www.cable.co.uk FOI, 2014
2013-14 financial year: 701 NHS
incidents
•21% (147) = erroneous disclosure
•20% (137) = theft / loss
•12% (83) = posted or faxed to
wrong person[Source: Wired website, 25/11/2014]
Increase in Data Security Concerns
Healthcare highest industry for data
security breaches:
•Criminal attacks ↑ 125% since 2010
•734 breaches in 2014
•ICO 517 healthcare investigations in
2015 [Source: Information Age website, 20/01/2016]
Sophos Study, c.2015
250 NHS employed senior IT
professionals:
•76% cybercrime protection good
•72% data loss is biggest concern
•10% encryption well established
•42% use of mobile devices ↑
[Source: Information Age website, 22/01/2016]
Problems within the Micro environment…
Lack of knowledge,
e.g. British Pregnancy
Advisory Service
03/2012: £200k fine for
hacker threatening to
leak 10k patients PCD
[Source: BBC News website,
07/03/2014]
Carelessness, e.g. Chelsea
& Westminster NHS Trust
09/2015: 56 Dean Street)
sending email to 800 users
of HIV services: £180k fine
[Sources: Sky News website, 02/09/2015;
BBC News website, 09/05/2016]
Process issues, e.g.
Blackpool Teaching
Hospitals not checking
details published on
website, 03/2014: £185k
fine[Source: Digital Health Website,
05/05/2016]
Accidents, e.g.
Brighton & Sussex
University Hospitals
Trust, 09/2015: ward
handover sheet of 37
patients found in street
[Source: The Argus, 30/09/2015]
Malicious intent, e.g.
former Medical Centre
Director accessing
colleagues’ and family
Medical Records, c.
2015: £435 (!) fine
[Source: ICO Website, 10/12/2015]
Bizarre decisions, e.g.
•Pharmacy2U selling data
•Royal Free Trust sharing
with Google[Sources: The Independent,
20/10/2015; BBC News Website,
03/05/2016; Business Insider Website,
12/05/2016]
PART 4: ‘The Inbetweener’
A Replete IG Toolkit Concern…
PART 5: Conclusions
The Top Challenges…
Macro:
Lack of central
coordination, resulting in
wasted finances and a
poor reputation for the
IG discipline
Locally: Listen to and
research the best advice
that is available on any
situation at any given time
and apply best practice
compassionately
Micro:
Accidental breaches
and carelessness:
PEOPLE
Locally: Ensuring an
effective training,
awareness and assurance
programme, using IG and
the IGT in the best possible
way – not just ‘tick boxing’
Summary…
Achieving an
acceptable
definition
The macro
environment –
now and in the
future
The micro
environment
Somewhere
in between Prioritising
the top 2
Western Sussex Hospitals NHSFoundation Trust