The NHS organisations are frequently in the firing line for allowing information breaches of sensitive personal data. The Information Commissioners Office has said that nearly a third of reported breaches involve NHS trusts and related bodies.
While the need for better information governance is well recognised, it seems NHS organisations need to do more to comply with the law. But, what further steps are necessary?
The need to protect sensitive personal information especially relating to patients is obvious, and regulations such as the Information Governance Statement of Compliance have been introduced and enhanced to ensure accountability within the trusts.
Even so, NHS-related breaches are occurring based on the regular news releases issued by the ICO and headlines of “Sensitive Patient Data at Risk” and “Sensitive Patient Data Lost On Train” paint a worrying picture of underlying problems.
In addressing this issue we understand how the breaches fall into two categories. Firstly, those that occur through misuse or failure to comply with a policy; and secondly the intentional, malicious theft or use of data, often by internal resources.
The critical point here is that managing obligations around the first type of breach, that of misuse or failure to comply with a policy is often, erroneously, considered by all organisations including NHS trusts as easier than the second.
On the NHS breaches, the ICO stated that the importance of securing confidential data should be fully understood, and that the protection of people’s personal data is part of an organisation’s culture and DNA. NHS organisations must therefore promote this culture, and ensure employees have a real understanding of their responsibilities; and this must start when someone commences their employment.
In an ideal world, an employee would only have access to sensitive data and resources when it has been demonstrated that they understand their responsibility to protect this data. Indeed, the requirements of IGSoC make several references to ensuring staff understand their responsibilities, and the requirement ID 112 specifically states, “does the trust’s staff induction procedures effectively raise the awareness of Information Governance”.
However, the challenge of this is vast, and is compounded by the numbers of temporary agency or locum staff that transition through one or more departments in a trust, each requiring access to sensitive data to undertake their job. It’s just not been efficient, or in most cases practical, to adequately educate and assess an individual’s understanding of their responsibilities prior to granting access to sensitive data and resources.
As mentioned above, the responsibility to protect personal data resides with both the holder of the data (the trust) and the consumer of it (the employee). To deliver on their obligations, Trusts must ensure that best practice is applied, and must embrace and follow through on the unification of people, process and technology.
One example of where delivers great benefits is around how a trust on-boards new employees while ensuring they are discharging their obligations effectively, with minimal overhead. When a user’s logon account is provisioned, they are not able to access sensitive data until they have read, and understood, specific policies relating to that data. To drive efficiency, consistency and reduce risk, this can occur in an automated way. A workflow verifies that the policies have been read and understood, before the access is granted, without unnecessary human intervention.
The inherent nature of individuals being required to access data requires a compromise between security and availability. It becomes important to understand what data is being accessed by whom, from where and when.
Again, technology allows us to interpret the volumes of audit data generated by our information systems, and alert us to odd behaviour. For example, attempts to access data outside of the scope of an employee’s role or understanding what constitutes ‘normal’ access behaviour, and highlighting deviations from the normal pattern.
It should also be remembered that the granting of access is not a one-time activity. Employees change their job roles or leave an organisation altogether. So, the review and de-provisioning of access needs to occur in a controlled, consistent and timely way.
Organisations are looking for much tighter integration between HR systems and other parts of their infrastructure. When changes to an employee’s job role or employment status occur, the necessary review of access and rights assignment occurs automatically.
All NHS trusts acknowledge the need to protect sensitive patient data, and are mandated to do so. To ensure that people continue to ‘trust the trust’, it is vital that proper attention is paid to Information Governance processes and practices to be able to demonstrate that the appropriate people have access to appropriate data when they need it, and they understand the responsibilities placed on them.
David Mount is UK technical director of NetIQ