Health data security: a question of cost
17 July 2016
Data sharing is not only essential to the delivery of high quality healthcare services now, but is also core to driving the innovations and improvements needed for a modern and sustainable health system in the future.
However, UK data use in healthcare still lags behind many other sectors, with a previous attempt to underpin a digital health service, the infamous care.data, being largely unsuccessful due to a major failure to win the public’s trust, as well as the support of many doctors.
It is against this backdrop that the recent review of Data Security, Consent and Opt-Outs, by the National Data Guardian for Health and Care (NDG), makes recommendations to the Secretary of State for Health, aimed at:
- Strengthening the safeguards for keeping health and care information secure
- Ensuring the public can make informed choices about how their data is used
Last week we set out our views on the shortcomings of using new consent models, which would allow people to opt-out of their personal confidential medical data being used for purposes beyond their direct care, as a stopgap solution to address the lack of trust so desperately needed. In short, by focusing on a mechanism for opt-out rather than addressing more specific concerns, public and policy makers may avoid a transparent discussion about their expectations of our future health system and the role health data will play in it. Instead of improving trust, this could increase people’s concerns about data and actually reinforce the perception that any trust in NHS data handling is unjustified.
By contrast, the series of proposals on strengthening safeguards for data security are, in our opinion, timely and robust and seem to strike a proportionate balance between ensuring security and not hindering the delivery and development of care. As well as ensuring that the NHS’s digital infrastructure and technologies are up-to-date and fit for purpose, enacting the recommendations on safeguards will be a vital step in reassuring patients that the NHS is competent at handling their data.
Strengthening data security
The review proposes nine recommendations which focus on security, standards and sanctions. These recommendations seek to hold data users, providers and institutions to account in a variety of ways: healthcare professionals will be provided with tools to support them to adopt high security standards and to foster sharing of good practice; healthcare organisations are urged to undertake good housekeeping of their systems to identify vulnerabilities, improve data security, and to audit their practice.
Involving other regulators to develop coherent and consistent approaches will be vital in order to avoid inconsistent requirements and unnecessary duplication of effort
Also welcome, is the commitment to put harsher sanctions in place where malicious or intentional data security breaches occur – a proposal that was made by the Nuffield Council of Bioethics in their report The collection, linking and use of data in biomedical research and healthcare: ethical issues – which has recently gained increasing traction. What is unclear is whether the recommendations of the new Review will go as far as the proposals from the Nuffield Council, which suggested that those sanctions should be available in the absence of demonstrable harm to the individual – that is, even where there is potential for harm, as opposed to only when such harm can be shown to have actually occurred.
Mandating these requirements both through this Review and the associated CQC recommendations will help Trusts and CCGs to prioritise policy development and investment in these areas. In doing so, involving other regulators to develop coherent and consistent approaches will be vital in order to avoid inconsistent requirements and unnecessary duplication of effort.
People, processes and technology
When data breaches do occur, the Review found that they are primarily because of problems involving people, processes or technology. In most cases the breaches are unwittingly facilitated by the behaviour of healthcare employees who, although motivated to provide the best quality care to patients, are working with inadequate or even obsolete technology and burdensome processes. Clunky data security processes, unencrypted devices, and unsupported software systems are rife in our health system and are compromising security. In fact, there are instances when defying security protocols is the only option to treat patients in a timely manner. The Review rightly emphasises that strong leadership is essential to address all three themes and ensure that:
- People are equipped to handle information safely
- Processes - support rather than hinder staff and proactively prevent data security breaches
- Technology is adequate, secure and up-to-date
The genomics perspective
Our joint report with the ACGS, Data sharing to support clinical genetic services stresses the importance of strong leadership in order to deliver the technology infrastructure and support that will empower the clinical genetics workforce to deliver the best possible services for patients. Two surveys we conducted jointly with the ACGS of professionals across clinical genetics laboratories found that technical challenges and resource limitations were significant barriers to the sharing of genomic variant data – an essential element for the safe and effective delivery of patient care.
Specifically, the processes for curating data are not adequately resourced making the task time-consuming and cumbersome. This issue is further compounded by the absence of a clearly designated and supported NHS database into which laboratories can deposit data. Again echoing the findings of NDG’s review, the consistent response from professionals to the two surveys and workshop consultations was that if processes were simplified and appropriate safeguards put in place, then data sharing practice would improve accordingly.
So, whilst the security elements of the NDG’s Review seem a considered and reasonably comprehensive set of proposals, with enough clout to motivate change, achieving the fundamental improvements in digital and data infrastructure will ultimately require resources to be made available. In the case of genomics services, this means urgent support for data sharing processes including a single, sustainable NHS database – one with long-term, stable funding to support both initial creation and ongoing maintenance.