Data security, primary care

Securing patient data in primary care

It’s not unusual for the Information Commissioner’s Office (ICO) to issue press statements to expose NHS ‘data blunders’, but at the end of April 2009 it felt compelled to do more than that. After six months of taking regulatory action against 14 NHS organisations, including several PCTs for losing patient data, the ICO issued a “stark reminder to NHS bodies on patient records”.

The cases highlighted by the ICO include several that demonstrate carelessness with physical security of data, such as lost memory sticks and laptops that are discarded or stolen. It is vital that PCTs ensure the right physical safeguards are in place — that staff lock their offices, use their security swipe cards, ensure that they encrypt and password-protect data on portable devices and so on.

However, there is another aspect of information security that PCTs must consider: the security of the network. Allowing unauthorised access to PCTs' networks could have far more serious consequences than loss of a physical storage device. While physical break-ins and theft leave obvious signs, a hacker could access an unprotected network and no one would know.

Network security at GP surgeries may be something that PCTs and GPs themselves take for granted. But the evidence is that many practices are connecting to N3 — the NHS broadband network — without putting proper safeguards in place. How can this be?

Applications and infrastructure out of step

The NHS National Programme for IT (NPfIT) is facing a number of difficulties. While some of the system — the N3 network, for example — is in current use by GPs, other parts, such as the rollout of electronic medical records (Care Records Service — CRS), are years behind schedule.

The National Programme was originally designed so that the infrastructure (such as N3, the NHS network) and national applications (like CRS) work together and, in so doing, create a secure environment. The reality today is that GPs are using N3 with local applications, and without extra precautions. Their connections to N3 are not secure and therefore any patient identifiable data (PID), held within the surgery, is not secure.

Patient-identifiable data (PID) at risk

GPs using N3 face two main problems. Government guidance states that PID must not be transmitted “in the clear” — in other words, without adequate encryption. Some PCTs may feel safe believing that GPs in their trusts don't use N3 to transmit patient data in the first place. As far as they’re concerned, their GPs stick to traditional courier services when they need to transfer patient records — for example, when a patient moves to a new surgery.

There is another problem though, and that is with the security of patient data stored 'at rest' on N3. Without connecting through a compliant firewall, PID is at risk wherever a GP surgery stores its patient records on the same local network that it uses to connect to N3.

Taking local control

Local health trusts have far more input to NPfIT than before, which is good news because it means they can take practical steps to address the patient data security issues they are responsible for. And taking the necessary steps to improve security at a local PCT level also creates other positive benefits for patients, GPs and PCTs alike. The technical solution to PCT network security hinges on the use of compliant firewalls at each site that connects to N3.

Improving general practice

Having secure electronic communications allows GPs to share information more efficiently. With the right setup, branch surgeries can share information and doctors will be able to access patient records when away from their desks, allowing them to do paperwork, write reports and referral letters at home. There is a further benefit for PCTs: a secure network allows them to remotely manage and support GPs' IT systems much more efficiently than by visiting individual surgeries, as Kensington and Chelsea PCT found out.

Case study: Kensington and Chelsea PCT

Kensington and Chelsea PCT is responsible for delivering IT services to 44 GP surgeries across its London borough and 15 other primary care sites. As well as being able to save time and money in providing IT support to GPs, the PCT also wanted GPs and practice staff to have remote access to their practice systems.

The PCT implemented a system that complies with the relevant information governance standards from NHS Connecting for Health, and which supports its key requirements, namely:

• to secure its use of N3 so that GP sites and the PCT can transfer PID securely;
• to secure GP sites and locally held PID from threats that may exist within N3;
• to provide support for practice-based commissioning by extending the reach of the PCT Active Directory service into GP sites;
• to allow PCT technicians and their service partners to provide remote support of the GPs’ ICT systems, including antivirus and software updates; and
• to support secure, remote backup and restoration of GP data.

GPs in Kensington and Chelsea now enjoy a far more responsive IT support service. They benefit from much quicker IT problem resolution and no longer need to wait for individual engineers to visit their practice to handle antivirus or software updates.

Routine work that used to take hours now only takes minutes, which means that the PCT saves on its IT support budget. Furthermore, the PCT is now able to provide more effective out-of-hours support and less technician travel means a smaller carbon footprint for the PCT.

The PCT serves a highly mobile population — both patients and staff often transfer between practices. Every practice has a standard configuration on its site. The PCT is standardising the infrastructure so if practitioners or nurses move between surgeries they will find the same IT tools wherever they work. This means that staff can maintain their productivity as they move around the PCT.

Fully authenticated and secure remote access is another feature of the PCT environment that enables GPs and practice managers to be more productive. They can now access their desktops and PID from remote locations without security worries. 

The value of high quality patient-held information has never been so important to the NHS. As a result of the project, the PCT is now meeting national NHS targets for the improvement of data quality. Timely access to data is important in supporting many current NHS strategies, including the modernisation agenda, national service frameworks, clinical audit and governance, and clinical and performance indicators.

The The system also connects GPs to the centralised PCT community information system. By entering the patient number the GP gets an overview of their patients' journeys through the different services at the PCT.  

Summary

Local IT strategies are increasingly favoured over the centralised monolithic approach that the Government has tried in the past. Pursuing a local IT strategy allows PCTs to customise the security solution to meet the needs of their GPs and patients.

PCTs have a responsibility for the security of PID in primary care. They must safeguard patient data in several ways to ensure that it is physically safe when stored locally and that each surgery has a secure connection to the N3 network.

The investment required to implement adequate security across an entire PCT depends on the number of surgeries it has to protect. PCTs can offset the cost by considering the savings that it will make through centralised and remote support, which saves travel time, improves service levels and helps achieve standard IT configurations across the PCT.

The wider benefits of implementing a secure network include improved information sharing for practice-based commissioning and faster access to patient data. As a consequence, PCT and surgery staff are able to spend less time gathering information to ensure targets are met, which means more resources for patient care.

Alan Hunt, Director of information security at Hytec, the infrastructure products and services business of the OLM Group.

More articles >>