Safe Data, Safe Care - Care Quality Commission

2y ago
54 Views
3 Downloads
1.28 MB
32 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Vicente Bone
Transcription

Safe data, safe careReport into how data issafely and securelymanaged in the NHSJULY 2016

The Care Quality Commission is the independentregulator of health and adult social care in England.Our purposeWe make sure health and social care services provide people with safe,effective, compassionate, high-quality care and we encourage care services toimprove.Our roleWe register care providers. We monitor, inspect and rate services. We takeaction to protect people who use services. We speak with our independentvoice, publishing regional and national views of the major quality issues inhealth and social care.Our valuesExcellence – being a high-performing organisationCaring – treating everyone with dignity and respectIntegrity – doing the right thingTeamwork – learning from each other to be the best we canbSAFE DATA, SAFE CARE

S A F E D ATA , S A F E C A R EContentsFOREWORD.2SUMMARY.4INTRODUCTION.6HOW WE CARRIED OUT THE REVIEW.7FINDINGS.10RECOMMENDATIONS.25REPORT INTO HOW DATA IS SAFELY AND SECURELY MANAGED IN THE NHS1

FOREWORDForewordGood information underpins good care.Patient safety can only be assured wheninformation is accessible, its integrity is protectedagainst loss or damage, and confidentiality ismaintained.Data security should be treated very seriously.It has been an issue of national concern in thehealth sector for some years, but has now beenpushed to the forefront of the public’s attentionby a number of recent, high profile data breaches.Reflecting the importance attached to datasecurity, the Secretary of State for Health askedCQC to do two things:1.2.2Review the effectiveness of currentapproaches to data security by NHSorganisations when it comes to handlingpatient confidential data, and makerecommendations on how currentarrangements for ensuring NHS providersprotect personal data could be improved.Make recommendations about how thenew guidelines (published by the NationalData Guardian, Dame Fiona Caldicott) canbe assured through CQC inspections, NHSEngland commissioning processes, and anyother potential mechanisms.SAFE DATA, SAFE CAREThe National Data Guardian was asked, as oneaspect of the CQC-led review, to develop newdata security standards that can be applied toall health and care organisations and, with CQC,to develop a method of assuring these newstandards, as appropriate. Dame Fiona Caldicottwas also asked to make recommendationson a new consent model for sharing patientinformation; informing the public how their datawill be used and when they can opt out.In our review, we found that across the NHSthere is widespread commitment to keepingdata secure, but effective action is not alwaysbeing taken where necessary. While data, forthe most part, is generally treated safely, NHSorganisations remain vulnerable to potential risks.We are clear that present data security systemsand processes need to be continuously andactively reviewed so that they are resilient tocurrent and future risks.

FOREWORDWe have been reassured to find, through thiswork and data recorded by the Health and SocialCare Information Centre, that there have beenvery few attacks on health information systems.Those that have occurred have targeted financial,not patient, data. In addition, the total numberof reported data breaches is proportionatelyvery small: there were 533 in the year to 31May 2015, in the context of 6.5 billion datatransactions (excluding paper transactions)across the whole NHS network in the sameperiod.*Even so, the review has found many instances ofpoor practice, any of which could have led to adata breach.Complacency cannot be afforded. As confidentialdata is held and accessed in fresh ways throughnew technology, the risks change and so mustthe response if both security and public trust areto be maintained.NHS organisations must take steps to understandtheir individual exposure to risk, and act toreduce it as a matter of priority.There is a real need for the leadership of NHSorganisations – from the lead partner in a smallGP or dental practice to the chief executiveand the board of a hospital trust – to prioritisethe safety and confidentiality of personal data,and ensure that the security of data systems isproactively and regularly tested. Having the rightpolicies in place is not enough – policies mustbe tested, much like the frequent checks of firealarms and practising the full evacuation of abuilding. The leadership of all NHS organisationsneeds to demonstrate clear ownership andresponsibility for data security, just as theyshould for clinical and financial management andaccountability.Importantly, there should be no conflict betweenprotecting and sharing data. While data mustbe handled securely, safety barriers must notprevent information from being shared.We are very grateful to all those who enabled usto conduct this review – we visited 60 NHS sitesacross England, and staff at all levels in thoseorganisations gave their time to help us gatherthe data on which our work here is based. Thegenerosity shown by healthcare staff, who sharedtheir experiences and concerns, not only helpedus in this piece of work - it will also enable theentire system to learn from their insights and soimprove.David BehanChief Executive*All transactions across the NHS Spine, including 465 million NHS staff accessing and recording patient data, 193 millionchoose and book or e-referral transactions by patients.REPORT INTO HOW DATA IS SAFELY AND SECURELY MANAGED IN THE NHS3

SUMMARYSummaryThis thematic review of data security wasconducted to establish whether personal healthand care information is being used safely and isappropriately protected in the NHS.The review focused on patient data in the NHS(we were not asked to include providers of adultsocial care). We did not look at other areas ofsensitive information such as HR or finance.We also excluded a detailed examination ofIT systems, which was the subject of separatework carried out by the Health and Social CareInformation Centre (HSCIC).Data security, in this review, is defined as:zz Availability – how patient information isavailable to all those who need it to providecare where and when it is needed.zz Integrity – how patient information isprotected from unauthorised alteration,damage and loss.zz Confidentiality – how patient information iskept confidential: safe from access by thosewithout authorisation to read, see or hear it.We gathered the evidence for this review byconducting staff interviews, observing practiceand examining documentation in NHS hospitals,GP surgeries and dental practices. We alsoasked staff in the sites we visited to takepart in a confidential online survey, reviewedrelevant literature, consulted an expert panel ofstakeholders and talked to individual experts inthe field.4SAFE DATA, SAFE CARECommon to all sectors and sizes of organisationwas the range of human behaviours that couldinadvertently lead to data breaches. As anexample, a large hospital with diverse systemsfaced more difficulties than single-handed GPs,who were only working with a single systemand were therefore less likely to have to login and out of different systems to completea single task. As a result, such a GP practicewas less likely to invent the kind of insecureworkarounds that we found in emergency carein large hospitals. However, some small primarycare practices were working with outdated,unsupported technology, and did invent theirown insecure workarounds in response to thechallenges they faced, for example, taking homea system back-up in their bag, instead of backingup to a secure cloud (network of servers) orother secure mechanism.Key findingsIn the NHS organisations we reviewed, we found:zz There was evident widespread commitmentto data security, but staff at all levels facedsignificant challenges in translating theircommitment into reliable practice.zz Where patient data incidents occurred theywere taken seriously. However, staff didnot feel that lessons were always learned orshared across their organisations.

zzzzzzzzSUMMARYThe quality of staff training on data securitywas very varied at all levels, right up toSenior Information Risk Owners (SIROs) andCaldicott Guardians.Data security policies and procedures were inplace at many sites, but day-to-day practicedid not necessarily reflect them.Benchmarking with other organisations wasall but absent. There was no consistent cultureof learning from others, and we found littleevidence of external checking or validation ofdata security arrangements.The use of technology for recording andstoring patient information away from paperbased records is growing. This is solving manydata security issues but, if left unimproved,increases the risk of more serious, large-scaledata losses.zzzzData security systems and protocols were notalways designed around the needs of frontlinestaff. This leads to staff developing potentiallyinsecure workarounds in order to delivergood timely care to patients – this issue wasespecially evident in emergency medicinesettings.As integrated patient care develops,improvements must be made to the ease andsafety of sharing data between services.Successful data security demands engagedleadership and a culture of learning and sharing.Senior leadership teams must take data securityseriously and ensure clear responsibilities for allmembers of staff.The recommendations set out in our report are detailed and apply to all health care settings. Theycan be summarised as follows:The leadership of every organisation should demonstrate clear ownership andresponsibility for data security, just as it does for clinical and financial management andaccountability.All staff should be provided with the right information, tools, training and support toallow them to do their jobs effectively while still being able to meet their responsibilitiesfor handling and sharing data safely.IT systems and all data security protocols should be designed around the needs ofpatient care and frontline staff to remove the need for workarounds, which in turnintroduce risks into the system.Computer hardware and software that can no longer be supported should be replaced asa matter of urgency.Arrangements for internal data security audit and external validation should bereviewed and strengthened to a level similar to those assuring financial integrity andaccountability.CQC will amend its assessment framework and inspection approach to include assurancethat appropriate internal and external validation against the new data security standardshave been carried out, and make sure that inspectors involved are appropriately trained.REPORT INTO HOW DATA IS SAFELY AND SECURELY MANAGED IN THE NHS5

INTRODUCTIONIntroductionInformation, whether in paper or digital form,is critical to NHS patient care. The reason NHSorganisations need to gather and hold informationis to use it – both to treat and care for patients,and to improve the quality and efficiency ofservices.Using information so that patients get the bestcare possible means sharing it with staff and withother providers of care (for example, an ambulancecrew, a local GP, a care home or a specialist inanother hospital).When patient information, such as medical history,is not available to healthcare professionals,delays in treatment can occur. It is, therefore,vital that information systems ensure that patientinformation can be shared quickly, reliably andsecurely.The use of technology for managing patientdata is growing. But without robust processesand adequate IT systems, the integrity ofinformation will be at risk of being compromisedby unauthorised parties, it may not be accessiblewhere or when needed, and it may not be keptconfidential.The financial cost of data breaches can besubstantial and often more costly than prevention.In one such breach, arising from a web link in anunsafe email, the cost of repair to a hospital trustreached over 700,000. While some financialinstitutions set aside money to recover from databreaches, the NHS covers such incidents withfunds intended for patient care and healthcareimprovements. The cost to patient privacy and6SAFE DATA, SAFE CAREconsequent loss of public trust can also be verysubstantial.In line with our purpose to make sure care servicesprovide people with safe, effective, compassionate,high-quality care, and to encourage improvement,the Secretary of State for Health asked CQC toreview the effectiveness of current approachesto security by NHS organisations when it comesto handling confidential patient information. Wewere asked to make recommendations on howcurrent arrangements can be improved and hownew standards set by the National Data Guardiancan be assured through CQC inspections, NHScommissioning processes and any other potentialmechanisms.This study provides a picture of the way in whichNHS organisations approach the issue of datasecurity.In relation to data security, we have identifiedgood practice, explored challenges in the NHS,and recommended how barriers to achievingexcellence can be overcome.The agreement from selected providers toparticipate in this review was invaluable in allowingit to be carried out within the timescale required.All were offered support by the Health andSocial Care Information Centre (HSCIC) to makeimprovements where opportunities for doingso were identified. We have not attributed anyfindings to individual providers in this report andour findings do not contribute to the future ratingsof any participating organisation.

HOW WE CARRIED OUT THE REVIEWHow we carried out thereviewWe carried out the review between October andDecember 2015. The fieldwork was conductedby the Health and Social Care Information Centre(HSCIC) and its contractor, QinetiQ (a specialistin data security).We identified 60 NHS provider sites acrossEngland to be included in the review, coveringNHS trusts, independent GPs and dentalpractices, as well as GPs and dental practicesthat are members of large networks. We ensuredthat the sample was balanced by sector, size oforganisation, the information we held throughour existing inspections, and geography. Weexcluded providers that were undergoingcomprehensive or responsive CQC inspections atthe time of the review, to avoid interfering withCQC’s ongoing programme of inspections. Thesample consisted of:zz18 NHS trusts: Acute trusts (8) Mental health trusts (4) Community trusts (4) Ambulance trusts (2)zz22 GP practiceszz20 dental practices.The GP practices we visited included those usinga range of the most common IT systems. Thedental practices included independent providersand those who were part of a group or chain.All sites were checked against HSCIC records tosee whether they had potentially been exposedto a particular cyber vulnerability in 2015. Weused this measure to ensure that we includedboth sites that had been affected and those thathad not.Between 9 and 21 November 2015, researchteams visited 60 NHS sites and conductedinterviews and focus groups with more than200 members of staff. They also explored howsystems were used to store, access and sharepatient confidential data without compromisingsecurity.The review focused on patient data in the NHS(we were not asked to include providers of adultsocial care). We did not look at other areas ofsensitive information such as HR or finance.The teams reviewed documents relevant toeach organisation’s data security, such asplans, policies, training materials, audits of datasecurity, records of breaches, records of followup and patient leaflets. They also observed whatstaff did and how it could affect data security tocorroborate the evidence gathered.The research teams typically consisted of atechnical expert from HSCIC, and an expertREPORT INTO HOW DATA IS SAFELY AND SECURELY MANAGED IN THE NHS7

HOW WE CARRIED OUT THE REVIEWin workplace behaviour and its effect on datasecurity from QinetiQ. Some visits also included amember of the CQC project team.In addition, we collected data from an onlinesurvey conducted by QinetiQ. This survey probedthe extent to which staff understood theirresponsibilities for data security, their knowledgeof policies and procedures, whether they hadever been put under pressure to break procedure,if they had witnessed any data security breaches,if they knew how to raise concerns, and theextent to which they felt confident in reportingconcerns to senior management.We also took part in a number of evidencesessions organised by the National Data Guardianteam. This included one on the patient’sperspective, and one that discussed the natureof recorded data security breaches in the NHSto date. We have used the findings from thosesessions to inform our work and this report.The review was shaped and supported by anexpert reference group in September 2015,after which members of the group offeredadvice on the research assessment framework.The group reconvened in mid-December at asymposium jointly held with the National DataGuardian to test respective findings and explorerecommendations.As the technical experts in this field, HSCICworked closely with CQC to shape the research,ensuring that the assessment frameworkdrew on the requirements of the InformationGovernance Toolkit (IG Toolkit) and the CyberEssentials Scheme.INFORMATION GOVERNANCE TOOLKITThe IG Toolkit is an online system that allowsorganisations to assess themselves, or beassessed, against information governancepolicies and standards. It also allowsmembers of the public to view participatingorganisations’ IG Toolkit assessments.8SAFE DATA, SAFE CARECYBER ESSENTIALSThe Cyber Essentials Scheme has beendeveloped by Government and industryto fulfil two functions. It provides aclear statement of the basic controls allorganisations should implement to mitigatethe risk from common internet-based threats,within the context of the Government’s 10Steps to Cyber Security. And through itsassurance framework it offers a mechanismfor organisations to demonstrate tocustomers, investors, insurers and others thatthey have taken these essential precautions.Our review also built on existing literatureon data security and the findings from workconducted by HSCIC in 2014 (unpublished).The report included formal testing of NHS datasystems to the extent to which unauthorisedpersonnel could access secure IT systemsphysically or electronically.We also took into account the 2015 InformationSecurity Breaches Survey conducted for theGovernment by PricewaterhouseCoopers andInfo Security Europe across private and publicsector organisations in different fields, PonemonInstitute’s work from 2012, which looked atthe human factor in data protection, work by theInformation Commissioner on past data breachesand their origins in the NHS, and previous workcarried out by QinetiQ.We have sought to build on existing findings,adding new material to the growing body ofknowledge. In particular, we have examined themanagerial and organisational arrangementsfor data security, and the interaction betweenstaff behaviours and data system design andoperation.

HOW WE CARRIED OUT THE REVIEWAssessment frameworkWe used a detailed assessment framework tostructure the interviews and discussions withstaff. It was informed by, and linked to, the IGToolkit.Our assessment was structured around three keyquestions.1.How w

b SAFE DATA, SAFE CARE The Care Quality Commission is the independent regulator of health and adult social care in England. Our purpose We make sure health and social care services provide people with safe, effective, compassionate, high-quality care and we encourage care

Related Documents:

safe analysis is not included in this tutorial. Please see the fe-safe User Manual including fe-safe Tutorials for details, for instance: Tutorial 106: Using fe-safe with Abaqus .odb files . Start fe-safe /Rubber TM as described in the -safe feUser Manual. The Configure -safefe Project Directory window will be displayed:

Title: ER/Studio Data Architect 8.5.3 Evaluation Guide, 2nd Edition Author: Embarcadero Technologies, Inc. Keywords: CA ERwin data model software Data Modeler data modeler tools data modelers data modeling data modeling software data modeling tool data modeling tools data modeling with erwin data modelings data modeller data modelling software data modelling tool data modelling

neric Data Modeling and Data Model Patterns in order to build data models for crime data which allows complete and consistent integration of crime data in Data Warehouses. Keywords-Relational Data Modeling; Data Warehouse; Generic Data Modeling; Police Data, Data Model Pattern existing data sets as well as new kinds of data I. INTRODUCTION The research about Business Intelligence and Data

Locking The Safe Step 1: Open safe Step 2: Take out any removable interior parts. Step 3: Remove the 2 lag screws using a 15mm socket and ratchet, then close and lock safe door. NOTE: Use caution as the safe is top heavy and due to the mass of the door, can tip easily when moving; installing the safe will take two or more people.

Product Name l Safe T Salt Synonyms l Bulk Safe T Coarse; Bulk Safe T Fine; Bulk Safe T Mix; Bulk Safe T Salt; Safe T Salt (bagged w/YPS) 1.2 Relevant identified uses of the substance or mixture and uses advised against Relevant identified use(s) l Ice Control 1.3 Details of the supplier of the safety data sheet

IMPORTANT : DO NOT RETURN SAFE TO STORE If you are missing parts, have difficulty programming the lock or opening your safe, or any additional questions regarding the use and care of your safe, DO NOT RETURN your safe to the store. Please contact MESA SAFE COMPANY Technical Support : 888.381.8514 [Monday thru Friday 7AM - 4PM/PST] for assistance.

Data quality attributes 6. Data Stewardship (accepting responsibility for the data)for the data) 7. Metadata Management (managing the data about the data)about the data) 8. Data Usage (putting the data to work) 9. Data Currency (getting the data at the right time) 10. Education (teaching everyone about their role in data quality) 24

language approach was a drastic change compared to the previous, traditional approach to language instruction in Korea.’ The factors in this ‘drastic change’ which Jeon highlights include setting the unit of analysis at the discourse level rather than the sentence level; emphasizing communicative competence rather than only linguistic competence; moving from teacher-fronted to learner .