NHS Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

NHS

Health Tech and Personal Data: What ‘Powered by Data’ means for healthcare tech

 960 640 Stuart O'Brien
By:
0
0

By Lucy Pegler, partner, and Noel Hung, solicitor, at independent UK law firm Burges Salmon

In June 2023, the NHS launched the ‘Powered by Data’ campaign to demonstrate how use of health data delivers benefits for patients and society. The campaign draws on examples of how the responsible use of patient data can support innovation in the healthcare sector from developing new tools to support patients and helping to understand how to deliver better care.

Although framed in the context of public health services, the concept of ‘Powered by Data’ is applicable more widely to the healthcare sector. Public and private providers of healthcare whether in-person in healthcare settings or through increasingly innovative digital services, will collect data in every interaction with their patients or clients. The responsible and trustworthy use of patient data is fundamental to improve care and deliver better, safer treatment to patients. 

What is health data?

The Data Protection Act 2018 (“DPA”) defines “data concerning health” as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.

Healthcare organisations that typically manage data concerning health have an additional obligation to also maintain “genetic data” and “biometric data” to a higher standard of protection than personal data generally.

If you process (e.g. collect, store and use) health data in the UK, UK data protection laws will apply. Broadly speaking, UK data protection law imposes a set of obligations in relation to your processing of health data. These include:

  • demonstrating your lawful basis for processing health data – health data is considered special category personal data meaning that for the purposes of the UK General Data Protection Regulation, healthcare providers must demonstrate both an Article 6 and an Article 9 condition for processing data. Typically, for the processing of health data, one of the following three conditions for processing must apply:
  1. the data subject must have given “explicit consent”;
  2. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; or
  3. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.
  • transparency – being clear, open, and honest with data subjects about who you are, and how and why you use their personal data.
  • data protection by design and default – considering data protection and privacy issues from the outset and integrating data protection into your processing activities and organisation-wide business practices.
  • technical and organisational measures– taking appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
  • data mapping – understanding how data is used and held in your organisation (including carrying out frequent information audits).
  • use of data processors – only engaging another processor (a ‘sub-processor’) after receiving the controller’s prior specific or general written authorisation.

The NHS and the adult social care system have stated their commitment to upholding the public’s rights in law, including those enshrined in the DPA 2018 and the common law duty of confidentiality. These obligations extend to healthcare providers, whether NHS, local authority and private, whether through online, digital healthcare solutions or more traditional in-person settings.

The Caldicott principles

The Caldicott principles were first introduced in 1997 and have since expanded to become a set of good practice guidelines for using and keeping safe people’s health and care data.

There are eight principles that apply, and all NHS organisations and local authorities which provide social services must appoint a Caldicott guardian in place to support with keeping people’s information confidential and maintaining certain standards. Private and third sector organisations that do not deliver any publicly funded work do not need to appoint a Caldicott guardian.

However, the UK Caldicott Guardian Council (“UKCGC”) considers it best practice for any organisation that processes confidential patient information to have a Caldicott Guardian, irrespective of how they are funded.

The role of the Caldicott guardian includes ensuring that health and care information is used ethically, legally and appropriately. The principles also allow for the secure transfer of sensitive information across other agencies, for example the Social Services Education, Police and Judicial System. Further details of the principles can be found here.

The Common Law Duty of Confidentiality (“CLDC”)

Under the CLDC, information that has been obtained in confidence should not be used or disclosed further, unless the individual who originally confided such information is aware or subsequently provides their permission.

All NHS Bodies and those carrying out functions on behalf of the NHS have a duty of confidence to service users and a duty to support professional and ethical standards of confidentiality. This duty of confidence also extends to private and third-sector organisations providing healthcare services.

NHS-specific guidance

Providers who work under the NHS Standard Contract may also utilise the NHS Digital Data Security and Protection Toolkit to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled appropriately.

Furthermore, the toolkit contains a breach assessment grid to support with deciding the severity of the breach using a risk score matrix to determine whether the breach needs to be reported, which supports with reporting security incidents to the ICO, the Department of Health and Social Care and NHS England.

Health and Care Act 2022

As integrated care systems continue to develop, the new Health and Care Act 2022 introduces significant reforms to the organisation and delivery of health and care services in England. In particular, the Act makes numerous changes to NHS England (which has now subsumed NHS Digital) to require data from private health care providers when it considers it necessary or expedient for it to have such data to comply with a direction from the Secretary of State to establish an information system.

The Act also allows the Secretary of State for Health and Social Care to mandate standards for processing of information to both private and public bodies that deliver health and adult social care, so that data flows through the system in a usable way, and that when it is accessed or provided (for whatever purpose) it is in a standard form, both readable by and consistently meaningful to the user or recipient.

Benefits of sharing personal data  

Healthcare professionals have a legal duty to share information to support individual care (unless the individual objects). This is set out in the Health and Social Care Act 2012 and the Health and Social Care (Quality and Safety) Act 2015. The sharing of health and social data between NHS organisations and pharmacies could better transform the way healthcare services are provided as well as grant continuity between the various providers. Having a single point of contact with patients is what makes the healthcare system in the UK distinct from other systems around the world. In addition, patient information could be used for research purposes as well as in the development and deployment of data-driven technologies.

A note on cyber security

Given the sensitive nature of health data and patient information, healthcare providers are particularly susceptible to data breaches. In response to the UK government’s cyber security strategy to 2030, the Department of Health & Social Care published a policy paper entitled ‘A cyber resilient health and adult social care system in England: cyber security strategy to 2023’ in March 2023.

Cyber resilience is critical in the healthcare sector and providers must be able to prevent, mitigate and recover from cyber incidents. Strong cyber resilience dovetails with providers’ obligations under UK GDPR to maintain appropriate technical and organisational measure. For public providers and those providing into the public sector, a deep awareness of the DHSC’s Strategy is critical.

Consequences for failure to comply

Whilst there is a lot of focus on the maximum fines under UK GDPR of £17.5 million or 4% of the company’s total worldwide annual turnover (whichever is higher), in the context of the healthcare sector, there is also significant reputational risk in terms of both an organisation’s relationship with its patients and with its customers and supply chain. Organisations should also be aware of their potential liability resulting from claims from patients and potential contractual liability and consequences.

Photo by Irwan @blogcious on Unsplash

NHS inks three-year cybersecurity partnership with IBM

 960 640 Stuart O'Brien
By:
0
0

NHS Digital has entered into a three-year strategic partnership with IBM to provide a range of new and improved services to health and care organisations.

The additional services will expand NHS Digital’s existing Cyber Security Operations Centre (CSOC)3 and enhance NHS Digital’s current capability to monitor, detect and respond to a variety of security risks and threats across the NHS, and offer expert advice and guidance.

The CSOC expands on the existing cyber security services provided by NHS Digital and will include:

  • Enhanced services, such as vulnerability scanning and malware analysis, allowing NHS Digital to offer tailored and specialist advice to individual NHS organisations
  • Enhancement of NHS Digitals current monitoring capability enabling the analyses of data from multiple sources to detect threats across NHS Digital’s national systems and services
  • Access to IBM’s X-Force repository of threat intelligence to provide insight, guidance, and advice so health and care organisations can take appropriate action to prepare for, or mitigate against, identified risks and threats.
  • Security monitoring pilots across selected NHS organisations, to test a range of security technologies and identify appropriate solutions that could be rolled out across the NHS estate.
  • An innovation service which will allow NHS Digital to quickly access new tools technologies and expertise to address new threats as they emerge and to allow it to adapt services to meet the changing needs of the health and care sector.

Dan Taylor, Programme Director, Data Security Centre at NHS Digital, said: “This partnership will enhance our existing Cyber Security Operations Centre which is delivered from NHS Digital’s Data Security Centre. It will give us, during times of increased need, the ability to draw on a pool of dedicated professionals from IBM.

“It will build on our existing ability to proactively monitor for security threats, risks, and emerging vulnerabilities, while supporting the development of new services for the future and enabling us to better support the existing needs of local organisations. This will ensure that we can evolve our security capability in line with the evolving cyber threat landscape.

Rob Sedman, Director of Security, IBM UK and Ireland said: “IBM is excited to partner with NHS Digital and bring enhanced detection and incident response co-ordination capabilities to its Data Security Centre.”

Scottish Government outlines cyber security plans

 960 640 Stuart O'Brien
By:
0
0

The Scottish government has outlined its cyber strategy in a 48-page document – The Public Sector Action Plan on Cyber Resilience.

 The plan offers details to local authorities, Government departments and NHS boards on best practices for protecting themselves against cyber attacks. The Scottish Government fast-tracked the strategy in wake of the global cyber attack in May when 11 Scottish health boards were targeted by hackers.

 Discussing the plan, First Minister John Swinney said it would “encourage all public bodies, large or small, to achieve common standards of cyber resilience,” before adding: “I want our public sector to lead by example on strengthening cyber security, to help ensure Scotland is ready to deal with all emerging threats.”

 Some £200,000 is to be made available for organisations to assess, identify and improve cyber security issues, while ministers will also write to chief executives of Scottish public bodies to urge them to ensure all firewalls and security procedures are up-to-date with companies in public service chains asked to demonstrate how they have protected themselves.

 Colin Slater, head of cyber security at PwC in Scotland said: “To date we’ve been reacting to cyber security using frameworks that are almost 30 years old. That’s not representative of the risk we’re dealing with these days.

 “During that attack NHS trusts couldn’t take appointments, they couldn’t do imaging, they couldn’t prescribe drugs, couldn’t admit patients. The ultimate consequence is that you can’t deliver your public service.

 “Cyber criminals are brilliantly tooled up, they’re very dogged, they’re very very clever and they’re very fast and agile.”

 Dr Keith Nicholson, joint chair of the National Cyber Resilience leaders’ board’s public sector steering group, said by following the plan “Scotland’s public sector will be better protected against cyber attacks to the benefit of both the organisation and the citizens of Scotland.”

NHS Digital signs cyber security contract with Microsoft

 960 640 Stuart O'Brien
By:
0
0

NHS Digital has signed a support contract with Microsoft, three months after the WannaCry ransomeware attacks that targeted Windows computers.

The attacks on the NHS highlighted the need for investment, lack of infrastructure and the need for training among NHS staff, along with the fact that the NHS relies on Windows XP, an obsolete operating system that raised questions about the resilience of the service’s IT systems.

The Government recently announced it would boost investment in NHS data and cyber security above the £50 million outlined in the Spending Review, addressing key structural weaknesses as part of its commitment to improve NHS cyber security, with an initial £21 million delivered to increase cyber security at major trauma sites as a priority, along with  improvement of NHS Digital’s national monitoring and response capabilities.

The support contract with Microsoft will cover all NHS organisations throughout the UK until June 2018 and provide a “centralised, managed and coordinated framework for the detection of malicious cyber activity through its enterprise threat detection software.”

A statement by the NHS added that the service “analyses intelligence and aims to reduce the likelihood and impact of security breaches or malware infection across the NHS.”

“One of NHS Digital’s key roles is to work closely with other national partners to explore and provide additional layers of cyber security support to NHS organisations when they need it – with the aim of minimising disruption to NHS services and patients,” the statement concluded.

NHS faces staff retention crisis

 960 692 Stuart O'Brien
By:
0
0

Figures released by the Nursing and Midwifery Council have revealed that more nurses and midwives are leaving the profession than joining, up to 51% in a four year period.

Low pay, poor working conditions, long hours and a shortage of qualified staff are all blamed for the decision to leave.

For the first time ever, the Royal College of Nursing (RCN) figures show that more have left the register than joined during 2016/17.

With over 40,000 nursing vacancies in England, the RCN and Royal College Of Midwives (RCM) have called on the Government to scrap the pay cap to help halt the loss of talent.

In an interview with Sky News, Saffron Cordery, director of policy and strategy at NHS Providers, said: “This goes beyond the concerns over Brexit – worrying though they are.

“The reduction in numbers is most pronounced among UK registrants. And it is particularly disappointing to see so many of our younger nurses and midwives choosing to leave.”

Janet Davies, chief executive of the Royal College of Nursing, said: “With more people leaving than joining, the NHS will be further than ever from filling the 40,000 vacant nurse jobs in England alone.

“The 1% cap means nursing staff can no longer afford to stay in the profession and scrapping student funding means people can no longer afford to join it.”

NHS left vulnerable to cyber attacks

 960 634 Stuart O'Brien
By:
0
0

Experts from the British Computer Society (BCS) & The Chartered Institute for IT have claimed that a lack of investment in cyber-security software and accountability left the NHS open to the Wannacry virus.

The malware disrupted hospital staff across the UK in May as computers systems crashed, leaving frontline hospital staff unable to access important patient information, with operations cancelled and doctors and nurses forced to rely on hand-written notes to track patient’s case histories and treatments.

A report into the attack by the BCS found that the crisis could have been avoided had hospital IT teams had an official cyber-attack protocol, in-house cyber-security experts and up-to-date secure software.

‘’Patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world,” said David Evans, director of community & policy at The Chartered Institute.

“Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future.”

The Chartered Institute of IT has joined forces with the Patient’s Association, the Royal College of Nursing, Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber-attack.

Top of the list is ensuring there are clearly laid-out standards for accrediting relevant IT professionals. NHS board are being urged to ensure they understand their responsibilities, how to make use of registered cyber security experts and increase the number of qualified and registered IT professionals.