1 / 48

Information Security and Confidentiality in Healthcare

Information Security and Confidentiality in Healthcare. November 2007. Introductions. Colin Nolder Business Consultant Lloyd-Nolder Associates Chair IST/35 UK Mirror Panel Information Security DTI/BSI Principal Expert UK Information Security European CEN/TC251

dennis
Download Presentation

Information Security and Confidentiality in Healthcare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security and Confidentiality in Healthcare November 2007

  2. Introductions Colin Nolder Business Consultant Lloyd-Nolder Associates Chair IST/35 UK Mirror Panel Information Security DTI/BSI Principal Expert UK Information Security European CEN/TC251 Convenor for Information Security

  3. The Programme • The background to information Security and Confidentiality • What is it ? • Why is it needed? • Why is it important now? • Who’s taking the lead? • What can you do?

  4. Health Warning The NHS will spend approximately £10.4 billion in 2007-8 on collecting, processing and disseminating Information. However when it comes to information security the NHS has, in the past, fared worst out of all business sectors for taking it seriously. Some NHS organisations could even be breaking the law because they are not compliant.

  5. What is Information Security? Confidentiality Integrity Availability

  6. Confidentiality? • “Information access is confined to those with a specified need and authority to read and/or change the information.”

  7. Integrity? • “Information accuracy and completeness is safeguarded.”

  8. Availability? • “Information is available to authorised users, when and where required.”

  9. “Between You and Me…”

  10. Why is information security needed 1? • Legislation • NHS Policy • Professional Codes of Practice • Standards • Information Governance Toolkit • Data Sharing • Incidents

  11. Legislation • Over 100 Acts of Parliament, Statutory Instruments, Regulations, Orders in Council • More than 20 EU Treaty Articles, Directives, Decisions, Proposals • 8 Other International Agreements and Conventions (Council of Europe, UN, WHO)

  12. Legislation • Computer Misuse Act (1990) • Data Protection Act (1998) • Human Rights Act (1998) • Crime and Disorder Act (1998) • Electronic Communications (2000) • Freedom of Information Act (2000) • RIP Act (2000) • Health & Social Care Act (2001) • Civil Contingencies Act (2004) • Common Law

  13. Freedom of Information Act (2000) • Since 1st January 2005 an individual has: - The right to be told whether the information exists. - The right to receive the information. • Puts a legal requirement on NHS organisations to publish and share information

  14. The NHS Plan “The NHS will respect the confidentiality of individual patients and provide open access to information about services, treatment and performance”

  15. Clinical Governance Corporate Governance Information Security and Confidentiality Legislation Standards Policy & Guidance

  16. Clinical governance The Caldicott Committee Data Protection Act 1998 CHAPTER 29 Report on the Review of Patient-Identifiable Information December 1997 £10.00 Corporate governance

  17. Policy and Guidance • Caldicott Report • Standards for Better Health • Information Governance Toolkit • NHS Confidentiality Code of Practice • NHS Consent Policy • Guidance Use and disclosure • Trust Policies

  18. Codes of Professional Practice • GMC Duties of a Doctor • GMC Confidentiality: Protecting and Providing Information www.gmc-uk.org/guidance/library • BMA Guidance on Confidentiality and Disclosure of Health Information www.bma.org.uk/ap.nsf/content/confidentiality • MRC Personal Information in Medical Research www.mrc.ac.uk/pdf-pimr.pdf

  19. Standards • BS7799 (ISO 27002) Information Security Management • Healthcare Commission: Standards for Better Health • NHS Information Governance Toolkit • NHS Information Standards Board (ISB) Approved Standards • CEN TC251 Standards • ISO TC215 Standards • HL7 Standards

  20. NHS Information Governance Toolkit Matching Requirements V5 June 2007 • Information Governance Management • Confidentiality and Data Protection Assurance • Information Security Assurance • Clinical Information Assurance • Secondary Use Assurance • Corporate Information Assurance

  21. IT Security Breaches in the NHS Estimated Trusts %having incidence of breaches - using extrapolated information

  22. Types of Incidents within NHS Organisations • Virus infection • Staff misuse and disclosure • Attempts at unauthorised access • Theft and fraud • Data error or corruption • Accidental loss

  23. What do the papers say? • Unauthorised copies of medical records • Unauthorised alterations to medical records • Loss of medical records • Inaccurate or wrong treatment • Loss of critical systems • Financial loss and legal liability

  24. Why is information security needed 2? To reduce the risk of: • Disruption to Trusts’ business • Breaches of confidentiality • personal privacy • organisational confidentiality • Financial loss • Failure to meet legal obligations • Embarrassment to SHAs and Trusts

  25. Why is it ImportantNow? • Risk Management • NHS CfH National Programme • IM&T usage

  26. Risk Management Why is it Important Now? Chief Executives of NHS Trusts have been required since 1st April 2000 to do their “reasonable best” to protect patients, public, staff and stakeholders from risks of all kinds. Department of Health : HSC 1999/123a Risk management and Organisational Controls: 1999

  27. Why is it Important Now? NHS Connecting for Health’s National Programme for IT for the NHS in England Initial investment of £6.2 billion + 4% of total NHS budget pa (currently £4.2 billion pa) + Local expenditure of £1 bn pa = Approximately £ 90bn by 2010

  28. NHS Connecting for Health’s National Programme for IT 5 Clusters Local Service Providers Local Ownership Programme

  29. National Programme for IT (NPfIT) Core Services from NASP New NHS-Wide Network (N3) Linking 300 Hospital Trusts and 8000 General Practices to support NHS Care Records Service

  30. NHSnet & the New National Network (N3) • National Infrastructure Service • Provides the physical infrastructure, intelligent network services and demand and requirement analysis • End-to-end service and single point of contact • Secure network with links to other networks • Available at every site where NHS services are delivered or managed.

  31. Why is it Important Now? • More reliance on information • More clinical use of IT • Caldicott implementation • Implementation of Data Protection Act 1998

  32. NHS Organisations were inadequately protected • Of NHS Trusts in England: • Only just over half had up-to-date Information Security Policies • Less than one fifth had comprehensive Security Awareness programmes • Less than one third had taken proper cognisance of legislation other than Data Protection Act • Less than ten per cent had completed their ISO 17799 Surveys and Action Plans

  33. Who’s taking the lead ? • Caldicott Guardian • Head of Information Governance • Data Protection Officer • Information Security Manager

  34. “Between You and Me…” The Issues

  35. The key message! Information Security(like Health & Safety)is everyone's responsibility!

  36. Information Security(like Health & Safety)is everyone's responsibility! This means you!

  37. What can you do? • Adhere to trust policies • Apply access controls • Secure trust assets • Report incidents • Review personal practice

  38. Adhere to Trust Information Security Policies • Specify Trust responsibilities • Have Senior Management support • Provide frameworks of standards and procedures • Incident procedures • email • Internet use

  39. Apply physical access controls • Challenge inappropriate behaviour • Prevent misuse of data and software • Stop unauthorised access • Document authorisation • Protect your password

  40. Access Controls for the NHS Care Records Service NHS Connecting for Health are using Role Based Access Control based on Smart Cards and Pseudonymisation.

  41. Secure trust assets • Site them carefully • Lock them away when unattended • Protect off site equipment • Dispose of properly

  42. Hot off the Press! The Information Commissioner announced on 15th November 2007 a new criminal offence “knowingly or recklessly flouting Data Protection principles” The Information Commissioner said “If a doctor or hospital employee leaves a laptop containing patient records in his car and it is stolen, that is gross negligence”

  43. Report incidents Report any event which has resulted, or could result in : • Disclosure of personal data • Password infringements • Virus infections • Access to offensive web sites

  44. Sources of Information • Department of Health www.dh.gov.uk • NHS Connecting for Health www.connectingfor health.nhs.uk • Information Commissioner • www.informationcommissioner.gov.uk

  45. Questions and Answers

More Related