Patient Information Security An overview of practice and procedure UK CAB Meeting 13th April 2012 Nathan Lea Senior Research Associate CHIME, UCL
Overview - Questions that have been asked What happens to information collected about me, who has access to it and how is it used? How is it protected? Further information
What happens to information collected about me, who has access to it and how is it used? Information is collected about you to provide care services and support care decisions includes demographic information, lab results, co-morbidities De-identified clinical information valuable for research Also informs: population health surveillance (including condition prevalence) healthcare policy and strategy commissioning of services Background
How is information protected? Core principle across both clinical care and secondary use environments This involves: Development of Information Security Policy Risk Assessment and Analyses Applying protection mechanisms in practice
Information Security Policy Defines management and user responsibilities Guidelines on how to handle information securely (based upon mitigation strategies) Most highly regarded international standards - the ISO 27000 Series Several guideline documents that offer additional guidance within the NHS Information Commissioner's Office - data sharing agreements
What do policies contain? 1. Introduction and Background Details of Organisation handling information 2. Organisations, Members, Service providers and Resources Involved with the Project (plus details of any data sharing agreements) 3 Risk Assessment and Analysis 4. Activities and Stipulations for Securing Asset Use
3 Risk Assessment and Analysis Identification of information assets (records, databases, servers, disks etc.) Vulnerabilities - weaknesses of the assets exposed when used (portability, accessibility, value...) Threats - aspects that can exploit a vulnerability to attack an asset Risk assessment - the likelihood that a threat exploits a vulnerability against the potential impact... Defines a mitigation strategy to protect resources
Assets,Threats,Vulnerabilities and Mitigation Public Health Health Protection Agency De-identification Asset: Records, databases, servers Encryption NHS Care Provision Authentication Asset: Backup Theft of hardware/ storage media Antivirus Firewall Credentials from privileged users Worms/ viruses TRAINING Accidental disclosure External attackers (hacker, privacy advocate, media) TRUST Research Authorisation
Other policy details and security management Important to use forums within an organisation to develop policy (Information Security Management Forum) user engagement ensuring that they know what is in a policy and are engaged management is committed making sure good training is available Reducing the chance that information assets are compromised is key Frequently reviewed and updated security procedures and policy management help make it far less likely that information is compromised
Further thoughts - the nature of Security... Requirements change and evolve new technology more detailed information more readily available Other bodies decide whether information should be shared Ethics Committees National Information Governance Board (NIGB)
Further Information NHS Connecting for Health (CfH) - http:// www.connectingforhealth.nhs.uk/ Care Record Guarantee - http://www.nigb.nhs.uk/pubs/nhscrg.pdf NRES - http://www.nres.nhs.uk/ NIGB - http://www.nigb.nhs.uk/ ICO - http://www.ico.gov.uk/ ISO 27000 Series - Introduction - http://www.27000.org/index.htm and Wikipedia link http://en.wikipedia.org/wiki/iso/iec_27000
Thank you! Nathan Lea n.lea@ucl.ac.uk www.ucl.ac.uk/chime/people/lean