NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
Previous articles in this series:
Pt. 1: Data security standards and opt-out models in health and social care
Implementing HIPAA Controls
Pt. 2: Government Views On Opting Out – Health Data and Security in The UK
The Information Governance Toolkit may have focused on technical standards in the past, but recent external movements could mean a more public-facing role to help build trust in NHS management of service user data.
To improve the use of technology, data, and information within the health and social care sector, the UK’s Department of Health established a public body called NHS Digital. Previously referred to as the Health and Social Care Information Centre (HSCIC), its role is twofold: (1) Draw together legal rules and guidance set out in Department of Health policies; and, (2) Present them as a set of information governance requirements.
The Information Governance (IG) Toolkit incorporates both these tasks, and its remit covers information security, confidentiality and data protection, and management structures and responsibilities.
At present time (November, 2017) the Toolkit is being updated in light of recommendations from the Review of Data Security, Consent and Opt-outs carried out by the National Data Guardian (NDG). This Review has been discussed previously, including its focus on building public trust. The UK Government response to this Review is also informing the update and its public consultation has been covered on this website.
The release notes for version 14.1 of the Toolkit state that, “redesigned IG Toolkit is in phased development and will include a new set of mandatory requirements to support the evolving system and threats. It will be more accessible and easier to use, while also providing a greater emphasis on data security leadership obligations – people, processes and technology. A beta version of the redesigned toolkit is due for launch in the autumn ahead of a formal roll out across all sectors in April 2018.”
A previous Review in 2013 (Caldicott-2) resulted in a number of changes to the Toolkit, and in this article, we look at the likely impact arising from the 2016 Review (Caldicott-3) and the Government’s subsequent public consultation.
Likely Impacts
While the Toolkit will undoubtedly be impacted at technical levels, its overall role and function may also be affected. Gaining public trust is a significant issue and was a major theme in Caldicott-3 and the Government response. Hence, the first impact likely on the Toolkit will be its enhanced role to help the NHS increase public trust in its management of service users’ data.
- Supporting public trust
In its response paper, the Government says service users should have easier access to data about themselves held by service providers within the NHS. Currently, service users must engage in a lengthy application process to access this data. The Toolkit cannot directly help with this better data access but it could allow service users more easily find the organization(s) who have access to their data, and indicate whether they are currently compliant with data security standards. In this regard, the response paper says the Toolkit can facilitate organizations in demonstrating their commitment to cyber-security measures. The Government has also stated that a central register of what organizations accessed a service user’s care record will be available online. The Toolkit could naturally be linked to this register.
Another aspect of the Toolkit that may be impacted with respect to supporting public trust is its Change Requests process. This could be required to also become more user-friendly and perhaps even widen its function to incorporate more feedback from service users; it has historically been an organization-facing entity. To focus on the public more, a website that renders neatly on smart phones and tablets could be expected. Additionally, a dedicated app and perhaps free-phone numbers for older and other vulnerable service users to make contact might also be anticipated.
The 2016 Review (Caldicott-3) broadened its remit and considered data security in social care as well as health care. The 2013 Review had focused on health care only and up to now, the Toolkit mostly dealt with organizations in the health care sector.
The impact on the Toolkit in this instance, therefore, may be the incorporation of social care organizations into its domain. While many health care organizations listed under the Toolkit’s Organization Types may already deliver social care, its emphasis in Caldicott-3 means additional effort will be required to address the potentially different requirements for data security and information sharing in a social care setting.
From a technology point-of-view, the Toolkit’s Cyber Security Programme (CSP) will have to become more even more agile and faster in its response to the ever-changing threats from malware and other attackers. Organization staff who use mobile devices for work present a new vulnerability which will require additional attention from the CSP and its CareCERT team. If staff connect to NHS databases via their mobile device, then they are potentially providing a gateway for attackers to NHS and service user data. Mobile security is a concern for the wider online community, and the Toolkit must ensure it is (1) fully up-to-date with the latest technical security measures, and (2) auditing its technology more regularly. Practical advice such as minimum requirements for operating systems and browsers may also now fall into its remit.
The Caldicott-3 Review considered two aspects of information sharing within NHS organizations: data security standards and a new opt-out model for service users who do not wish to share all or part of their data. If the Toolkit is to take on more of a public-facing role, it must also incorporate this new opt-out model. Summary information on the model must be provided in a clear, straightforward format, as well as updates to the Requirements section. Any subsequent assessments using the Toolkit will also have to consider how organizations are implementing and explaining the opt-out model to service users.
Conclusion
Implementing change is difficult in any sphere, even more so when dealing with large public entities such as the NHS. Add to this the element of sensitive data from often vulnerable people and we get a sense of the sizeable task facing the IG Toolkit. The Government response paper recommends a redesign of the current Toolkit, but acknowledges that a cost-benefit analysis is needed with respect to cybersecurity measures. Smaller service providers, for example, cannot be expected to dedicate the same resources to data management as those with larger budgets and more staff.
What then will ultimately be the impact for the Toolkit? In this article, we outlined some likely changes in light of two recent public documents. In future, there will be other external drivers that impact the Toolkit. It is likely that such influences will become more regular and the Toolkit will have to become more agile and adept at responding to them; all the more so as technology changes faster and the public better understands the use of data sharing in the health and social care sector.
The Toolkit must become more user-friendly, both for organizations and the wider public. This can be reflected in its Publications and Reports sections, as well as its approach to Change Requests, as previously outlined. The opportunity now exists for the Toolkit to support the NHS in becoming exemplars of trustworthy data controllers. The Toolkit may even become a certifier of best practice in organizations, not only for the public, but also for external funders and other potential investors in those organizations.
Resources
https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs
/data-security-standards-opt-models-health-social-care/
https://www.gov.uk/government/consultations/new-data-security-standards-for-health-and-social-care
/government-views-opting-health-data-security-uk/
https://www.igt.hscic.gov.uk/WhatsNewDocuments/IGTV14.1-ReleaseNote-July 2017.pdf
https://www.igt.hscic.gov.uk/Caldicott2Recommendations.aspx
https://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/what_to_do.aspx
https://www.igt.hscic.gov.uk/ChangeRequestForm.aspx
https://www.igt.hscic.gov.uk/requirementsorganisation.aspx
https://www.igt.hscic.gov.uk/Cyber.aspx
https://www.igt.hscic.gov.uk/CyberWhatIs.aspx
Implementing HIPAA Controls
Implementing Controls for HIPAA
Learn how to maintain the confidentiality, integrity and availability of PHI and ePHI. What you'll learn:- HIPAA models and protocols
- Best practices for controls
- Privacy rule standards
- HIPAA compliance plans
- And more
In this Series
- NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
- Genetic testing "hottest" new form of health insurance fraud, FBI warns
- Healthcare data security issues: Best security practices for virtual healthcare sessions
- Analysis of ransomware used in recent cyberattacks on health care institutions
- Top cyber security risks in healthcare [updated 2020]
- How to satisfy HIPAA awareness and training requirements
- What Is Protected Health Information (PHI)?
- The Most Vulnerable and Hackable Medical Devices
- How to Comply with HIPAA Regulations – 10 Steps
- 5 Security Awareness Tips for HIPAA Compliance
- How WannaCry Ransomware Crippled Healthcare
- Breach Notification Requirements for Healthcare Providers
- Top 10 Threats to Healthcare Security
- Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It
- NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK
- NDG Pt. 1: Data security standards and opt-out models in health and social care
- Patient Privacy in Healthcare: A Security Practitioner's Approach
- How Healthy is Security Across Healthcare?
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- A Detailed Look Into the World of Clinical Decision Support Systems
- Top Clinical Application Systems
- Who is Hacking Healthcare?
- Types of hospital information systems
- HIS/HMIS
- The Healthcare IT Stack
- Medical Device Regulation
- Security Risk Assessment in Health Care
- Risk Management in Healthcare
- Security Technologies in Healthcare
- Medical Data Protection
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare
- Emerging Technologies in Healthcare
- 10 Best Practices for Healthcare Security
- IS Best Practices for Healthcare
- Hospital Security
- Security Awareness for Healthcare Facilities
- Hospital security policies & procedures
- What Does Security Awareness Mean for Doctors, Nurses and Hospital Staff?
- Security Awareness for Healthcare Professionals
- Hackable Medical Devices
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- HIPAA Security Checklist
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Overview of Regulations and Compliance
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Healthcare information security
Genetic testing "hottest" new form of health insurance fraud, FBI warns
Healthcare information security
Healthcare data security issues: Best security practices for virtual healthcare sessions
Healthcare information security
Analysis of ransomware used in recent cyberattacks on health care institutions
Healthcare information security