Patient Information Security

Transcription

1 Patient Information Security An overview of practice and procedure UK CAB Meeting 13th April 2012 Nathan Lea Senior Research Associate CHIME, UCL

2 Overview - Questions that have been asked What happens to information collected about me, who has access to it and how is it used? How is it protected? Further information

3 What happens to information collected about me, who has access to it and how is it used? Information is collected about you to provide care services and support care decisions includes demographic information, lab results, co-morbidities De-identified clinical information valuable for research Also informs: population health surveillance (including condition prevalence) healthcare policy and strategy commissioning of services Background

4 How is information protected? Core principle across both clinical care and secondary use environments This involves: Development of Information Security Policy Risk Assessment and Analyses Applying protection mechanisms in practice

5 Information Security Policy Defines management and user responsibilities Guidelines on how to handle information securely (based upon mitigation strategies) Most highly regarded international standards - the ISO Series Several guideline documents that offer additional guidance within the NHS Information Commissioner's Office - data sharing agreements

6 What do policies contain? 1. Introduction and Background Details of Organisation handling information 2. Organisations, Members, Service providers and Resources Involved with the Project (plus details of any data sharing agreements) 3 Risk Assessment and Analysis 4. Activities and Stipulations for Securing Asset Use

7 3 Risk Assessment and Analysis Identification of information assets (records, databases, servers, disks etc.) Vulnerabilities - weaknesses of the assets exposed when used (portability, accessibility, value...) Threats - aspects that can exploit a vulnerability to attack an asset Risk assessment - the likelihood that a threat exploits a vulnerability against the potential impact... Defines a mitigation strategy to protect resources

8 Assets,Threats,Vulnerabilities and Mitigation Public Health Health Protection Agency De-identification Asset: Records, databases, servers Encryption NHS Care Provision Authentication Asset: Backup Theft of hardware/ storage media Antivirus Firewall Credentials from privileged users Worms/ viruses TRAINING Accidental disclosure External attackers (hacker, privacy advocate, media) TRUST Research Authorisation

9 Other policy details and security management Important to use forums within an organisation to develop policy (Information Security Management Forum) user engagement ensuring that they know what is in a policy and are engaged management is committed making sure good training is available Reducing the chance that information assets are compromised is key Frequently reviewed and updated security procedures and policy management help make it far less likely that information is compromised

10 Further thoughts - the nature of Security... Requirements change and evolve new technology more detailed information more readily available Other bodies decide whether information should be shared Ethics Committees National Information Governance Board (NIGB)

11 Further Information NHS Connecting for Health (CfH) Care Record Guarantee - NRES - NIGB - ICO - ISO Series - Introduction - and Wikipedia link

12 Thank you! Nathan Lea