Colin Tankard
Managing Director, Digital Pathways
Colin is the MD of Essex-based Digital Pathways, which over the 20-plus years of its existence has established itself as a major force in digital security. In recent times Colin has provided security solutions for local authority social services departments, NHS trusts, and a broad range of public and private bodies and organisations
Who was it that said “knowledge is power”? Well, knowledge is certainly essential for any 21st-century practice manager when it comes to having full control over the digital systems that are the backbone of the running of a modern practice. One of the fundamental requirements of a surgery’s network system is the ability to conduct a full audit. And that ability can be summed up in the word “knowledge”.
The word “audit” usually refers to financial scrutiny, but in terms of digital security it means the ability to fully review a system and its history. A comprehensive audit guarantees that a system is free of problems, glitches or invasive activity. This process also allows for regular updates and other improvements. This is also the point at which systems can be checked and double-checked for compliance, both with legal requirements and the best practice guidelines laid down for use in the NHS IG8 Toolkit.
A very important element associated with an audit is the ability to track the use of data: who has viewed or used which data and when; were they authorised to do so, and what actions did they take thereafter? These are the key areas that any data breach investigation would look at, so they need to be logged and securely stored to prove all procedures were complied with. This log data will be generated by applications or the computers in the network, and will show every event that happened.
So, for example, when a patient record is opened the log will give the time, date and the name of the person that opened the record; this would be one log. The next log might indicate a change being made and possibly the final log would be when the record was closed. These logs can be merged together to give a full picture of what goes on in the network and can provide an early warning of system issues before they become critical or fail. Hence it is “good housekeeping” to review these logs on a regular basis and not just when something has
gone wrong.
This tracking process is the information’s life management; it handles, records and manages every single use and application of the system from creation to destruction. This is the practice manager’s best ally; providing the ability to trace every movement from that first patient contact, through consultations with staff at whatever level, external operations such as hospital visits and third-party consultations, through the storage of that data – no matter how extensive and complex – to the ability to review activity, both on a regular basis and under immediate scrutiny, should a query or
problem arise.
Taking care
One word of warning here: as practice manager, you may well be entirely happy to conduct your own audits and be capable of staying on top of the network’s requirements. On the other hand, your system supplier may well offer a security suite as part of their contract with the practice – and in that situation your third-party contractor, who is supplying your patient tracking software, might themselves be the weakest link.
Your data will only be as secure as their own security, and it’s very difficult to double-check their salesman’s assurances. And are you happy that their staff will be able to access every detail of your practice’s patient records? Using a security specialist as well might seem like an unnecessary complication – an extra layer of activity – but doing so certainly ensures best practice. To be absolutely secure I would always advise separating the duties of supply and security.
Another type of third-party contractor that is increasingly being employed is in the use of cloud computing, which processes your data off-site. This can have many advantages, particularly in financial terms, in that a practice does not have to buy and manage its own software, or invest in expensive data storage solutions, and for a practice that operates across more than one geographical location the data can be easily shared. This ease of access and growth capabilities is very attractive, and on the face of it can offer significant cost benefits.
Attractive though cloud computing is, do bear in mind that the “cloud” is not in itself secure. You may receive a guarantee of security from the supplier, but that assurance is worthless – they are, to be honest, not really in any position to make the claim. You will have no idea where in the world your data is being sent or stored, or who is authorised – or able – to view it at the other end. Nor will you know where the keys to your data are. In short, you will be surrendering control. It is essential that your practice’s data are secured at source before data leave your location. This means encryption.
Encryption
Encryption of data is absolutely essential nowadays. Information will be lost or mislaid in even the best-run and best-disciplined environments – usually due to nothing more sinister than human carelessness, which cannot be eliminated entirely in any organisation. But if data are encrypted then the damage is minimised at least, or negated completely at best.
General practice surgeries have always had a moral requirement to safeguard patients’ records, which has become more complex with the introduction of new technology. Just think how long it would take to photocopy a hundred patient records and how obvious the copying would be; then think how long it would take copying it to a USB stick or mobile phone and how discreet that is; there is no comparison. Building encryption into your system is very straightforward and inexpensive; good, solid encryption need cost no more than less dependable applications. There are recognised and respected standards for encryption, and are definitely worth applying to ensure confidence.
Going back to data control, encryption levels will differ at differing levels of responsibility within the practice. The level of encryption protecting the fact that Mrs Smith has an appointment at 10am on Friday need be very low, while the details of what she might be discussing with her GP at that meeting must be on the top level. However, the act of encrypting the data should be transparent to the user and also not affect the application. In this way, the practice decides on what data are sensitive and at what level the protection needs to be set, rather than leaving this to the individual who might have a totally different idea on what is sensitive, and therefore leave this unprotected.
Imagine for a moment a worst-case scenario: explaining to a journalist from your local newspaper or radio station that data have gone missing from your practice. The public reaction and the potential damage to the practice would be on one level if it was unencrypted and could be read by anyone with a PC, as opposed to the alternative situation where, yes, data have been mislaid but the data were encrypted and are of absolutely no value to any third party.
Training
Surgeries may never be as inherently secure as in a commercial environment, simply because they operate in different ways. Digital security will never be up there alongside patient care in a doctor’s list of priorities, and you can be sure that once in a while he or she will open a file on a screen and then just walk away, leaving it for all the world to see. Training will help, but if you have come to practice management from the private sector you may find the lower awareness of security unnerving. Staff – at all levels, GPs included – must be aware of these security issues, and must be educated in best practice.
The British are famously coy about their financial situation.
Despite this, surveys have shown that the British public places the security of their medical details even above financial confidentiality. And, though debate is to be had on this topic, it’s a sensitivity that is entirely understandable. Many insurance companies would dearly like to have greater access to patient’s data, as would fraud investigators from insurers and government bodies such as the Department for Work and Pensions.
IG8 is quite clear though; as responsibilities and financial resources move towards GP surgeries under the recent government initiatives, they are required to guarantee a very high level of security for patients’ confidential information. It’s a considerable responsibility, but one which, with knowledge, practice managers need not find onerous or expensive.