Healthcare related data is 20 times more valuable to hackers than financial data. Therefore, measurements need to be taken to safeguard privacy straight from the point of design of systems, procedures and data exchanges that involve the use of medical information. In my presentation about the safety of healthcare data I explore steps that can be taken to safeguard information within the UK's National Health Service and other private healthcare providers.

1. Health Data – Is it safe?
A practitioner’s view of data
governance in the modern NHS
10th December 2015
Head of Information Governance and
Assurance
NHS Healthcare Trust

2. Disclaimer
The views expressed at this event are solely
my own and they do not represent in any
form the views of my employer.

3. Some questions to start
• How many of you had any interaction with the NHS over the last 6
months?
• Have you ever received a letter meant for another person?
• Do you trust your healthcare provider with your personal data?

4. Trust in healthcare
• Which websites do you use to research medical
conditions?
• Write down 5 websites that you trust when
looking up medical conditions or treatments.
(not healthcare management or health IT related
subjects)

5. Trusting information published online
Top 5 popular UK websites
1. 2.
3. 4.
5.
Popular healthcare websites
1. 2.
3. 4.
5.
Patient.co.uk
netdoctor
Choices
H e a l t h
Sources: Lexiconnect, Alexa and others

6. What to look out for with online
healthcare advice?
Reliability
Credibility
TransparencySecurity
Integrity

7. Personal experiences
The Beissers
Christmas 2014
Magstadt

8. How does the NHS keep patient data safe?
• Healthcare professionals (in general) want to make patients
better and do things correctly
• We are in business of treating patients and not sharing data
for profit
• Seeking consent before sharing data
• Policy and governance frameworks in place to comply with
legislation
• Mandatory IG training programmes
• Use of electronic systems to reduce the amount of paper
being used
• Boards are getting more and more interested in IG and Cyber
Security

9. Information Governance -
What is it all about?
Only one piece of the bigger puzzle
– Data is
• everywhere
• Inconstant
• Incorrect
• Duplicated
• Outdated
• In the wrong place
• With the wrong person
• Stuck together, in silos, not fit for purpose?

10. Information Governance in the NHS
• A set of best practice guidelines around the way the NHS
receives, stores, handles, shares, archives and destroys
information about patients, staff and contracts.
• Data Protection Act 1998 and other NHS specific legislation
such as the Care Act 2014, Health and Social Care Act 2012,
Health and Social Care (Safety and Quality) Act 2015
• Links Clinical Governance to data processing and sharing
• Caldicott Principles
• Part of Trust’s Governance Framework

11. The NHS Information Governance Toolkit
• Self-assessment of implementing good information
management and governance principles
• Aligned to ISO 27001/2 standards tailored for health, social
care sector and organisations working with them
• The outcomes and benefits depend on what you put into the
tool
• Internal / external audit
(outside review is important)
• Knowledge management system:
Used correctly it is an important
pillar in your organisation's
governance framework

12. Caldicott 2
At the heart of managing data
• Don’t keep data for yourself – share it when appropriate
• Think about the bigger picture
• How will your client receive care without the relevant data?
• Sharing all the data just because it is easier?
• How often do you talk to your Caldicott Guardian?
• Do you know your counterparts in the organisations that you
share data with?
• Are you involving the patient in making decisions about sharing
their data?
• Do your service users know what you are talking about? Do
they understand what happens with their data?
• The 7th Caldicott principle is not an excuse for sharing data
without any controls

13. EPR –
Do they fix our data governance problems?
• Electronic Patient Record systems are an important tool
• Assist and support healthcare providers to provide safe care
• Link in with POC devices
• Assist in sharing data safely (i.e. eDischarges)
• Reduced amount of paper records?
• All the data in one place
• Data extraction with ease
• Pseudonymisation of data to support research
• Access control and third party access
• Subject Access Requests (who has accessed my data?)

14. The Internet of Things
Source: Dr Prasad Bhave (2015), https://clinicalscientist.wordpress.com/tag/healthcare-it/

15. The Internet of Things and its
privacy concerns

16. Medical Devices
Source: Massachusetts Institute of Technology (2015), groups.csail.mit.edu

17. Do you trust your medical device?

18. Mobile Apps – Are they medical devices?
• Apple’s App store contains
> 1,000,000 apps(32,000 lifestyle & 25,000 medical apps)
Source: http://148apps.biz/app-store-metrics/?mpage=catcount
• Medical Devices Directive (93/42/EC):
– software and applies to…diagnosis, prevention, monitoring, treatment or
alleviation of disease…(and other activities)
– Apps are active medical devices if they meet medical device definition
– Prescriptive advice on Class
– Key concept is intended use
• Misleading & Comparative Advertising Directive (2006/114/EC):
– Benefits can only be advertised if evidenced

19. Medical devices – other things to consider
• Who owns the data generated by medical devices?
• How do we integrate this data into the care record?
• Deprivation and social inclusion
• Patient managed records
• Online access to patient records
• Where is the data stored?
• Safe Harbour Agreement
(European Court of Justice Ruling)

20. BOYD - Bring your own disruption
• Risks and Benefits – Things to consider:
– Reduced costs in purchasing device
– Management of device (who controls what software is installed?)
– End-user support
– Patch Management
– Data leakage
– Separation of work and private usage
– Antivirus and Firewall software
– Device encryption
– Remote device control (if device is lost or stolen)
– Data Management (remote data access; no local data storage)
– Review existing corporate policies
• Use training and awareness programmes to empower staff.

21. Health and Social Care Integration
• NHS Bodies and Local Authorities Partnership Arrangements
Regulations 2000
• Pooled budgets underpinning the Better Care Fund
• Care Act 2014 is the legal framework that support the sharing
of services between the NHS and local authorities
• Safer care outside hospitals in the community sharing scares
resources (reducing duplicated visits; sharing workload and
responsibilities)
• Information Governance plays a big part in making the
integration across diverse organisations as success

22. A practical example
Connect Care - Lewisham and Greenwich NHS Trust
For more information see http://www.lewishamandgreenwich.nhs.uk/connectcare

23. Data sharing agreements:
dynamic instead of static sharing
• Data sharing has involved over the last couple of years
• Requirements for the use of data across organisational
boarders
• Data changes rapidly: As soon as it is shared; it may be already
out of date
• Integrating care across care domains requires flexibility and
rapid adaptation to changes in patient’s conditions and care
provision.
• Funding is limited and budgets coming under constant
scrutiny
• Are you involving data subjects in how you are sharing their
data?

24. Data governance -
How to deal with inaccurate data?
• Expect that errors will happen
• Map the flow of information
• Plan on how to deal with these error before they happen
• Include governance in the design of your pathways, systems
and processes
• Include partners straight away when you discover errors;
inform them of incidents
• Talk to the patients and carers affected:
Duty of Candour
• Don’t hide them away or think that somebody
else will deal with them

25. The national data guardian:
Can everything be dealt with on a national level?
• National guidance and baselines
• Citizens should be able to expect basic compliance with data
protection principles
• Is the Data Protection Act 1998 still fit for purpose?
• The European Data Protection Directive will bring
changes
• Local adaption of good practice; learning from others
• Data will need to be shared between providers
if we want to provide safe and effective care
• Commissioners will need to work with
providers and vice versa: Money is limited and
does not grow on trees

26. What can the NHS learn from other
countries?
• Singapore
• China
• Indonesia
• South America and Australia
• Germany

27. The crystal ball:
What will the future hold for the NHS?
• Less paper and more electronic systems
• Integrated care pathways (across acute, mental health and
social care)
• Shared funding
• Patient controlled records
• Mobile health initiatives will show benefits of the managing
long-term conditions
• Expert patient programmes
• Social inclusion
• Privatisation and PFIs?

28. Information Governance in healthcare -
What to look out for?
• Change will happen – be prepared for it
• Patients are using social media
Does your organisation?
• Include data privacy at the outset of all
projects
• Commissioners will take their business to
another provider if your organisation reports
regular data breaches
• Private providers may provide services
cheaper; but will they be any better?

29. Summary
• The Data Protection Act 1998 is not a barrier to share data
• Be open about how you use and share your clients’ data
• It could be your data that is used inappropriately
• Listen to concerns
• Use and share data with the consent of the data subject in
mind
• Think about the consequences of your organisation’s actions
• Talk and consult with your stakeholders and experts in partner
organisations
• It is not about you or your organisation. It is about the patient.

30. Alex Beisser
www.beisser.info alex@beisser.info alexbeisser beissera

31. 31
New Year’s resolution #1:
Be safe online!