The announcement of Dame Fiona Caldicott’s independent review into the protection of patient data has been welcomed as a critical opportunity for the NHS.
London, UK – 19 March 2012 – The announcement of Dame Fiona Caldicott’s independent review into the protection of patient data has been welcomed as a critical opportunity for the NHS. FairWarning Inc, a global expert in the detection and prevention of electronic health record (EHR) data breaches, believes it could help lay the foundations for secure and trusted electronic healthcare, which will enable better patient outcomes. The reputations of hospitals, the trust of patients, and confidentiality of electronic healthcare are at risk as many patient record systems are potentially open to undetectable abuse.
The review was announced by the Department of Health in response to the NHS Future Forum’s recommendation that the balance between the protection and sharing of patient data needed to be addressed. The last major review of the security of patient information dates back to 1997, since when there have been significant changes in the use and deployment of electronic record systems.
Right now the NHS is also undergoing a transformation in which electronic healthcare will become fundamental to every aspect of patient care. At the same time the radical reorganisation of the NHS in England and the abandonment of many aspects of the National Programme for IT are giving local healthcare providers ever-greater responsibility for their own electronic healthcare systems – and for ensuring that they are fully secure.
Kurt Long, Founder and CEO of FairWarning® UK, said: “The review is a truly welcome development, especially under the leadership of someone as widely respected as Dame Fiona. It is great to see the NHS giving a high priority to patient privacy, as this is a mission critical issue. This review could lead to a future in which patient data can be shared securely throughout the NHS, and where the reputations of healthcare providers are not under threat from the constant risk of serious breaches.
“The widespread use of electronic healthcare systems and the free flow of information are essential for the sustainable delivery of better outcomes for patients. This can only be successful if clinicians and patients have confidence that sensitive data is secure. Unfortunately, as every hospital CIO and head of IT in England knows, this is far from being the case as many have no effective safeguards in place to stop staff misusing their legitimate access rights to look at patient records.
“Our experience in the UK, and overseas, shows that data theft and abuse are widespread. This is something which is already being addressed very effectively by NHS Scotland. NHS Wales, and certain forward-thinking trusts in England, are also moving forward at some pace. We hope Dame Fiona and her panel will look to NHS Scotland as an example of good practice.
“Unless security is treated as the fundamental underpinning of electronic healthcare systems, there is a clear danger that continuing data breaches will damage public confidence, causing patients and NHS professionals to back away from electronic care.”
An independent, large-scale opinion survey carried out on behalf of FairWarning® in the UK (see below) showed that patients expect the NHS to keep their details safe, and believe that senior managers should be sacked or fined for serious breaches that were avoidable. A recent EU-sponsored survey found that 83% of Britons regard medical information as highly personal (against an EU average of 74%). The Information Commissioners Office (ICO) has given notice that it intends to take a tougher stance on breaches. Legislators are also strengthening controls on privacy, with an emphasis on greater rights for patients and consumers.
Clear rules and guidelines are needed on information sharing and privacy in order to help healthcare providers put the right practical measures in place. Encouragement is also required to reinforce a culture of privacy. FairWarning® believes that this can only be achieved if all organisations involved with NHS care implement three basic safeguards:
- Secure electronic communications with patients and
- Security of data in and across
- Assurance of only appropriate access to
Long said: “The world of electronic healthcare has come a long way since the 1990s, but there is still so much more it can deliver. But, with many tens of thousands of people sharing many millions of pieces of highly personal information daily, NHS IT systems must be secure, and they have to be policed.
“We hope that experts in data security and health record monitoring will be invited to have an extensive input into Dame Fiona’s review. This is vital if privacy and secure sharing of data are to be a reality. As global leaders in the field, having worked with UK and overseas healthcare organisations, having prepared industry white papers and carried out extensive research, we would be happy to offer our expertise to the panel.”
Of particular importance is the need to reappraise the role of the Caldicott Guardians (to which Dame Fiona gave her name) who work within NHS organisations, as they were seen as having a special role with respect to the National Programme. In the new environment they must be able to understand the security issues surrounding IT systems procured locally rather than nationally.
FairWarning® is already offering support to UK healthcare providers in tackling security issues. One example is the ‘Is Your Information a Valuable Asset or a Toxic Liability?’ webinar planned for 18 April which will consider a wide range of data security issues, including Electronic Health Record monitoring. The Guest Speaker will be healthcare information governance expert David Stone, Head of Information Governance, Apira. To register for this free, educational webinar, click here. For more information about this webinar, please visit https://www.fairwarning.com/subpages/United-Kingdom.asp.
Notes for editors
About the UK independent patient opinion survey
The main findings of the survey included that:
- 1% agree that chief executives and senior management should be sacked or fined if they were aware of risks but failed to act and there is a serious breach. 73.3% felt that better enforcement of rules and regulations would cut security breaches.
- 5% think that a serious breach of personal data would do severe or considerable damage to a hospital’s reputation.
- 2% strongly or somewhat agree that the NHS should monitor who looks at their files.
- Over 61% were very or somewhat worried that their identity could be used to commit fraud or used by criminals to target them, their family or home.
- 6% have, or would, withhold information about a sensitive personal medical matter from a healthcare provider with a poor record of protecting patient privacy.
- 3% have, or would, put off seeking care for a sensitive medical condition due to privacy concerns.
The UK survey was carried out by New London Consulting and took place in the nine day period from Thursday, August 25, 2011 to Friday, September 02, 2011 inclusive. See How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes at www.fairwarning.com/documents/2011-WHITEPAPER-UK-PATIENT-SURVEY.pdf.
The EU’s new stance on data privacy can be seen at seen at ec.europa.eu/justice/policies/privacy/review/index_en.htm and the results of The EU’s Special Eurobarometer 359 survey are at ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf.
For further details of the FairWarning® webinar, please visit https://www.fairwarning.com/subpages/United-Kingdom.asp.
About the Caldicott Review
For details of the review see www.dh.gov.uk/health/2012/02/dame-fiona-caldicott-to-lead- confidentiality-review/
Dame Fiona is the originator of ‘Caldicott Guardians’, the people in every NHS and local authority organisation who are responsible for making decisions about sharing identifiable information. This requires balancing the public interest of protecting confidential information with the public interest for sharing the information.
NHS Connecting for Health says the Caldicott Guardians were seen as particularly important in relation to the implementation of the National Programme for IT and the development of Electronic Social Care Records and Common Assessment Frameworks. See www.connectingforhealth.nhs.uk/systemsandservices/infogov/caldicott.
xamples of privacy breaches include:
- NHS Bury warned that details of 189 walk-in centre patients may have been leaked to personal injury lawyers.
- At Sheffield Teaching Hospitals a member of staff was caught looking at records of an ex- partner’s new partner.
- In 2012 cancer nurse Jennifer Ramsay (37), based at Dundee’s Royal Victoria Hospital, admitted she was no longer fit to practice and was struck off after inappropriately accessing, and discussing, patient records at least 10 times.
- In 2011 a staff member from Northampton General Hospital was sacked after accessing the health records of an acquaintance, a second person was severely reprimanded.
- The fining of a former Liverpool health worker in 2012 for accessing the records of five members of her ex-husband’s family.
- The conviction of a Romford health service employee for unlawfully obtaining her sister-in- law’s records to see on what medication she was.
- The discovery that a cleaner in Rotherham accessed a friend’s records to see if she had recently had an abortion.
About David Stone
David is a healthcare information consultant with over 20 years of public and private sector experience and is currently Head of Information Governance, with the respected Apira healthcare information service. His role has often involved being an agent for change, developing and delivering stakeholder engagement and communications strategies. He is closely engaged with the NHS IG community. He is a member of many SIGN (SHA-led IG Network – which David facilitated the setting up of in 2008) groups, is a frequent conference speaker and is co-author and presenter of the Department of Health national IG training programme.
Past projects have included:
- Project manager and author of the NHS Connecting for Health information governance statement of compliance.
- Author of the training programme for IGT v8 for NHS Connecting for Health.
- Strategic information governance consultancy: resource restructuring, stakeholder engagement, communications and facilitation.
- Supporting health and social care organisations to develop and deliver enterprise level change and compliance.
- Thought-leadership in information asset management approaches: information flow mapping, information asset registration, information risk management as well as strategic approaches to pseudonymisation.
About FairWarning, Inc.
FairWarning® is the world’s leading supplier of cross-platform healthcare privacy auditing solutions for Electronic Health Records. FairWarning® proactively protects healthcare organisations from emerging legal and privacy threats which include medical identity theft, identity theft, and other forms of healthcare information crimes. FairWarning® is industry’s leading best practice solution for automating privacy auditing. The company is located in Clearwater, FL, with offices in London, England and Paris, France. To learn more, please visit https://www.fairwarning.com or call 0800 047 0933 or US +1 727 576 6700.