Electronic based healthcare is among the most important advances of our times because it can transform how we plan and deliver care to individuals and populations.
Reforms to the NHS in England are giving local healthcare providers greater autonomy and responsibility for their own electronic healthcare systems – and for making sure that they are fully secure.
Robust data protection is the bedrock of successful electronic healthcare because clinicians and patients must have confidence that sensitive data is secure. If they aren’t, public confidence will erode, and patients and NHS professionals may back away from electronic systems.
A recent survey of more than 1,000 UK citizens revealed that 86.5% of respondents believe a serious breach of personal data would do considerable damage to a hospital’s reputation, and 87.2% believe the NHS should monitor who looks at their patient records.
Despite this, many NHS hospitals do not have systems in place to proactively detect privacy violation – and remain vulnerable to breaches, litigation and regulator fines.
Until it becomes mandatory for trusts to build patient privacy into NHS IT systems, the ever-present risk of major data breaches will remain – and the full patient benefits of electronic healthcare will not be realised.
Disclosure and notification
Recent data from the UK Information Commissioner’s Office reveals that data security breaches within the NHS have increased by 935% in the past five years.
Yet there remains no legal requirement in the UK for providers to disclose to the patient when a privacy breach has taken place.
This must be addressed. UK citizens have a basic right to know when their records have been inappropriately accessed and their privacy compromised.
The biggest driver for improvements in patient privacy will be tighter legislation around disclosure and notification.
When a breach has occurred, providers must be mandated to provide breach disclosure to patients, and breach notification to the ICO. This would bring a level of accountability to care providers that cannot be achieved by other measures such as random audits and fines.
Healthcare privacy laws in the rest of the world are being significantly strengthened – and the NHS cannot afford to be left behind.
In the US, ARRA HITECH privacy legislation in 2009 introduced – and enforced – strict guidelines around breach disclosure and notification.
Similarly, in Europe, pending legislation in the General Data Protection Regulation will mandate the disclosure and notification of privacy breaches to individual patients and governmental organisations respectively. The NHS should rigorously enforce this legislation.
Mandatory audit trails
At present, there is no legal requirement for electronic health record vendors or applications used in healthcare to produce a robust audit trail.
This means that when a privacy breach has occurred, neither the care provider, enforcement agencies or the patient has the ability to reconstruct who has been affected, to what extent damage has been done and how long it has been occurring.
Furthermore, the majority of providers are unable to identify proactively where privacy breaches have taken place – other than to wait until a patient reports concern.
The current system provides no facility to audit, proactively discover or mitigate what has happened. In such an environment, it is impossible to determine the scope of the damages, or to proactively protect against them reoccurring in the future.
Mandating the use of audit trails across all electronic health records and applications used in healthcare would be the first and potentially most important step towards securing and protecting patient privacy.
Robust standards for audit trails
The implementation of robust standards for audit trails will be a key component in the delivery of an electronic healthcare model built on the principle of interoperable systems and widespread sharing of data.
Interoperability increases the risk of security breaches and, as such, underlines the need for common and robust standards for audit trails to underpin all healthcare applications.
The culture of change
Effecting meaningful change is as much a cultural challenge as it is a technological one. I agree with the wider healthcare technology community that education, training and awareness of patient privacy within the NHS need to be improved.
The implications of security breaches must be fully understood across the health sector and healthcare leaders must also become privacy leaders.
Clear guidelines are needed on information sharing and privacy in order to help healthcare providers put the right practical measures in place. Encouragement is also required to reinforce a culture of privacy.
This can only be achieved if all organisations involved with NHS care implement three basic safeguards: secure electronic communications with patients and carers, security of data in and across systems and assurance of only appropriate access to data.
I believe that undertaking these changes will help to transform data security within the NHS, building levels of trust between patients and providers and significantly enhancing patient care through the secure use of electronic healthcare.
About the author: Kurt Long is the founder and chief executive of FairWarning, a Florida-based company that specialises in patient privacy monitoring for electronic health records that works with more than 900 hospitals and 3,000 clinics in the United States, Canada, the United Kingdom, and Europe. www.FairWarning.com
Previously, he was chief executive of OpenNetwork Technologies, a single sign-on and identity management software specialist, having started his career with Lockheed Space Operations at the Kennedy Space Center and IBM.
Dame Fiona Caldicott was recently interviewed by eHealth Insider, and will be speaking at EHI Live 2012, the two day conference and exhibition where the eHealth community meets.Tweet #ehilive
Register: To add a comment you must be registered.