The Go-Between Issue 119 August 2014 Information for Information Users
by user
Comments
Transcript
The Go-Between Issue 119 August 2014 Information for Information Users
http://www.bcs.org/server.php?show=ConWebDoc.13667 The Go-Between Information for Information Users The Go-Between would like to hear from potential contributors. Articles should be on health informatics related matters and around 250-400 words in length. Copy deadline for Issue 120 is 20 September 2014. For contributions etc. please write to the Editor (address on back page). ____________________________________________________ In This Issue Diary Federation for Health Informatics GS1 Standards News in Brief NHSmail 2 Protecting Information On-line Protecting Personal Health & Care Data ______________________________________________ Protecting Personal Health & Care Data The Department of Health recently ran a consultation on proposals to introduce tighter controls and safeguards on the use of personal health and care data. Appropriate data sharing offers many opportunities to improve the quality and safety of services, but people have to trust that their information is properly safeguarded. The failure to share information is often cited as a factor in failures of care. Issue 119 August 2014 consent will be used more widely as the means to share information. Sharing information is fundamental to the delivery of modern care services but without a clear statutory basis many organisations would be concerned about the risk of breaching confidentiality law and might be reluctant to share data. The 2002 Regulations have provided a statutory basis for sharing information relating to the health of individuals for certain medical purposes, and each purpose has been considered by the Health Research Authority appointed Confidentiality Advisory Group (CAG). CAG provides independent expert advice and each purpose has been agreed by CAG to be necessary, in the public interest and for a care related purpose. On this statutory basis, local commissioners of care are able to access information about individuals in order to identify care needs, analyse care provision and where the information is confidential patient information to ensure that the access is lawful, despite the duty of confidentiality which applies to the information. However, whilst this has enabled key activity to be carried out, the existing Regulations do not provide either the coverage that is required or the strong controls that should be in place to protect information. The Information Governance Review recommended that data sets containing confidential personal data, or data that could potentially identify individuals and that need to be linked – for purposes other than patient care – should only be brought together in secure environments known as ‘accredited safe havens’ (ASHs). The vision is that ASHs will provide a secure environment within which data that could potentially identify individuals can be lawfully processed for a limited range of approved purposes, under controls that minimise reliance upon identifiable data and constrain how the data is processed in the ASH. Continued on page 2. ______________________________________________ The Department of Health’s proposed Regulations are intended to cover purposes other than direct care: the minimum necessary level of identifiable information is used to support any particular purpose; there is a clear lawful basis for all uses; and there are robust controls in place to prevent security breaches or misuse of information. As technology develops and information quality improves, the need for staff to access identifiable information will reduce and opportunities for individuals to exercise control over how information about them is used will increase. Access to data will be more automated so that routine functions, including many commissioning functions, will not require access to identifiable data itself. The Health and Social Care Information Centre (HSCIC) will be the environment for holding identifiable data at the national level with a number of other smaller safe havens able to access identifiable data for these purposes; and GS1 Standards come to the NHS – see page 4 Continued from page 1. The data that will be used by ASH will be person-level data but the risk of individuals being identified must be minimised; any identifiers not necessary in processing will have been removed (for example names and addresses). In the wrong hands, the individuals could be re-identified. The proposed controls seek to minimise this risk. The proposed Regulations would set out the broad purposes for which data could be disclosed to an ASH, and for which that data could be used within an ASH. ASHs would be able to link information from more than one source and use it for purposes related to the commissioning and provision of health, public health and social care, but would be limited to the following purposes: • making the patient in question less readily identifiable from that information; • conducting geographical analysis; • analysing differences between population groups; • validating and improving the quality or completeness of information, or data derived from such information; • auditing, monitoring and analysing the provision made for patient care and treatment, including outcomes, costs and patient satisfaction; • understanding and analysing risks to individuals and informing those responsible for their care of the results of that analysis (risk stratification and predictive risk modelling); • providing those responsible for providing care to an individual with information that might inform or support that care; and • ensuring that the correct payment is made for care provided (invoice validation). More Information: https://www.gov.uk/government/consultations/protecti ng-personal-health-and-care-data ______________________________________________ Protecting Info On-line The Information Commissioner’s Office (ICO) recently issued guidance: Protecting personal data in online services: learning from the mistakes of other. The ICO has identified eight important areas of computer security that have frequently arisen during investigations of data breaches, which are the focus of this report. The eight areas are: • Software updates • SQL injection • Unnecessary services • Decommissioning of software or services • Password storage • Configuration of SSL and TLS • Inappropriate locations for processing data. • Default credentials For each, this guidance provides tips on good practice, which is summarised below. Software Updates A software updates policy should in place for all software used for processing personal data. When there is no compelling reason to delay, security updates should be applied as soon as is practical. SQL Injection SQL injection can affect applications that pass user input into a database. This includes many modern websites and web applications. SQL injection presents a high risk of compromising significant amounts of personal data. SQL injection results from coding flaws; organisations should know who is responsible for developing and maintaining code, and to prevent SQL injection or fix SQL injection flaws if they are found. Independent security testing (penetration testing, vulnerability assessment, or code review, as appropriate) of the relevant sites or applications can provide external assurance. When remediating an SQL injection flaw, use parameterised queries where possible, and ensure that all similar input locations are also checked and remediated where applicable. Unnecessary services Completely decommission any service that is not necessary. Avoid high risk services such as telnet. Ensure that services intended for local use only are not made publicly-available. Use periodic port-scanning to check for unnecessary services which have been inadvertently enabled. Decommissioning of software or services Be aware of all the components of a service to ensure that they are all decommissioned. Make a record of any temporary services that will eventually need to be disabled. Thoroughly check that the decommissioning procedure has actually succeeded. Arrange for proper disposal of any hardware, as appropriate. Password storage Don’t store passwords in plain text, nor in decryptable form. Use a hash function, and only store the hashed values. The hash function should have appropriate strength to make offline brute-force attacks extremely impractical. Use salting to make offline brute-force attacks less effective. Use a combination of password strength requirements and user-education to ensure that attackers can't simply guess common passwords. Have a plan of action in case of a password breach. This should include how to reset users' passwords in bulk and how to notify them of what has happened and what they need to do about it. Configuration of SSL and TLS Ensure that personal data (and sensitive information generally) is transferred using SSL or TLS where appropriate. Consider using SSL or TLS for all data transfer in order to reduce complexity. Ensure that SSL or TLS is set up to provide encryption of adequate strength uses valid certificates. Consider obtaining an Extended Validation (EV) certificate if assurance of identity is of particular importance. Inappropriate locations for processing data. Ensure testing or staging environments are segregated from the production environment. Consider segmenting your network according to function and in accordance with your data protection policies. Ensure your network architecture accounts for functions such as backups and business continuity in general. Have policies for how, when and where personal data will be processed. In particular, ensure any web servers are exposing only the intended content. Where necessary, apply specific access restrictions. Default credentials Change any default credentials as soon as possible, following good practice on password choice. Ensure that credentials are not hard-coded into any software, or transmitted in plain text. More information: http://ico.org.uk/for_organisations/data_protection/top ic_guides/protecting-personal-data-in-online-services ______________________________________________ Federation for Health Informatics (Fed-HI) Individuals are personally accountable for their own professional practice and must always be prepared to justify decisions and actions. A professional looks to a professional body for registration, a means of developing skills, a means of recording skills, a means of proving skills, validation, and regulation of that profession. In addition the role of a Professional Body is to: • provide leadership • act Independently • be represent the profession • enhance reputation • provide a knowledge base • provide professional standards • support personal development • provide a code of ethics • provide a publicly open register • regulate bad practice. The existing landscape of national organisations representing Informatics Professionals is characterised by duplication of functions, overlapping roles and responsibilities organisational rivalries and fragmented leadership. It is estimated that there are approximately 20,000 – 60,000 health informatics professionals but only 4,000 are actively registered. It could be because the purpose and benefits of professional membership are unclear and the lack of clear policy position in respect of professional registration. There are gaps - the most important being the absence of a voluntary regulatory framework that will ensure not only that the highest professional standards and codes exist but that they are also adhered to in practice Federation for Health Informatics National health informatics professional organisations are working together to ensure consistency in professionalism across all health informatics areas of health. The professional bodies involved are: BCS (Health & ASSIST), IHRIM, UKCHIP, UK Tele-Health & Care, SOCITM, CILIP and the Academy of Medical Royal Colleges. It is also supported by NHS England, HSCIC and the Northern Ireland, Scottish, and Welsh governments. What is proposed? The HI-Fed aims to provide clear value propositions for all, a ‘front door’ that supports the individual to join and participate, with simplified membership & fee structure. It is proposed to develop a national public register to provide assurance for employers and patients. It would continue to and enhance professional development linked to personal career plans. Informatics professionals have been let down by the lack of collective national professional leadership. Health Informatics has moved from the back room to mission critical – almost without anyone noticing! Patient data is crucial to safe and effective care, and should, therefore be looked after by professionals who have signed up to a Code of Ethics and Good Practice. Qualified staff maintaining patient data reduces risk of poor patient care. The HI-Fed would be free to set standards that best serve patients and the public in collaboration with interested parties. It would provide the single coherent platform and voice to represent the collective views of all health informatics professionals to the public, government, and employers. It would provide objective assurance that contributes to maintaining public trust in the delivery of public services. The HI-Fed immediate objectives would be to grow the membership, increase Influence and build reputation. HI professionals are being encouraged to join the Federation to demonstrate commitment to HI professionalism by placing their name on the National Public HI Register, and to become an active Member of a Professional Body More information: http://www.bcs.org/upload/pdf/assist-federationconsultation.pdf ______________________________________________ NHSmail 2 The Health & Social Care Information Centre has written to Trusts to confirm whether the organisation “intends to use NHSmail to meet the secure email standard for Health and Social Care which will come into force in June 2016”. It’s important that you confirm this information so that we can include your requirements in our plans for the transition to the replacement NHSmail service. This email is to: By June 2016, 100% of email communications made by health and social care organisations will have to meet the secure email standard. HSCIC has suggested that organisations have the following options to meet this requirement: Use NHSmail – it already meets the standard and is centrally funded for all organisations that deliver a service to the NHS. Upgrade your local email service to meet the secure email standard. This must be done using local budget and resourcing. Purchase a hosted email service that meets the required email standard. Planned improvements to NHSmail include significantly larger mailbox sizes and the ability to use a sub-domain to create an organisational identity will be addressed with the new NHSmail service. HSCIC has stated that when the new NHSmail service is delivered (in 2015) organisations will be required to use either NHSmail or their own local system (run to secure email standards), but not both. Organisations that choose to use their own local email service to meet the secure email standard will not receive free NHSmail accounts for their staff. In parallel with the development of local e-mail systems to meet the secure email standard, there will be a need to manage the migration of e-mail accounts off the current NHSmail service before it is closed in June 2016. Each organisation is urged by HSCIC to put in place a clear plan to meet the secure email standard by June 2016 when the current NHSmail platform will be turned off. Organisations will need time to consider options for meeting the secure email standard, and need confirmation of what the new NHSmail service will be. Additional guidance on the secure email standard is expected soon. HSCIC have allocated NHSmail Implementation Support Manager (ISM) to each organisation to provide support and guidance. The ISM can provide guidance around new NHSmail features such as: Automating emails such as referrals, discharge notes or out of hours reports Integrating applications such as SharePoint, Office Communicator or locally developed applications with NHSmail. Contact: [email protected] More information: http://systems.hscic.gov.uk/nhsmail/future http://systems.hscic.gov.uk/nhsmail/emailstandards ______________________________________________ GS1 Standards organisation to synchronise asset tracking and stock management throughout the supply chain process. Trusts will be required to appoint a GS1 Lead and Executive Sponsor, to oversee the adoption plans and implementation. The scale of the task will depend on the level of awareness and understanding of GS1 within trusts and general enablement in the areas such as P2P, patient information and records management. More information: http://www.gs1uk.org/what-we-do/GS1standards/Pages/default.aspx ______________________________________________ News in Brief GS1 standards are global standards to make it easy to do business globally using a unique set of identification numbers for products, companies, locations, services, assets, logistics units or customers at any point in the supply chain. NHS Spine No matter where in the world a business is based or what language you use, trading partners can always understand one another using GS1 standards. The GS1 standards work for all industries, from food services and retail to healthcare and music, and can increase business efficiency by reducing costs, saving time, and preventing errors. Legal Issues in IT Every acute NHS trust is required to develop and commence implementation of a trust board-approved GS1 adoption plan. For a large number of trusts implementation of GS1 standards may require significant process redesign, technological investment and cross-functional stakeholder groups and could take a number of years before benefits are realised. The important concepts of GS1 can be summarised as: Global Trade Identification Numbers (GTIN) To be allocated to every product (and eventually service line) purchased by the NHS. This will be completed by the manufacturer to ensure that a consistent, unique identifier exists and is supported by detailed information. Supplier engagement will be the responsibility of the DoH and trusts equally. Unique Device Identification (UDI) This key element will enable implantable medical device data to be captured at the point of use, including production information, and this to be recorded within the patient’s records for traceability purposes. It will require a sophisticated inventory management solution, point-of-use scanning in clinical areas as well as interoperability with EPR/ PAS systems. Automatic Identification Data Capture (AIDC) This broad category of technologies includes but is not limited to inventory and delivery management and asset and document tracking. Through the use of barcode technology, stock, assets and documents will be centrally and consistently managed through the trust and into the supply chain, with little need for manual data entry. ISB1077 (AIDC for patient identification) The requirement for NHS approved patient identifiers to be encoded into a GS1 Data Matrix Symbol on wrist bands has been in place since 2012. Global Location Numbers (GLN) All NHS trusts are registered members of GS1 through the Department of Health and GLNs can be created by trusts and assigned to all (delivery) locations within an The upgrade of the NHS Spine – Spine 2 Core Transition – took place on 22-25 August. The service will be hosted on new infrastructure and is being re-developed to use modern technologies. Legal issues in IT are growing increasingly complex as we approach a tipping point of unprecedented, ubiquitous digital availability and accessibility. BCS, the Chartered Institute for IT, has issued a final whitepaper in its next wave of computing series examining the pervasive connectivity that is making it harder to operate within the law. http://www.bcs.org/category/18002/?src=hplead. ___________________________________________________ Diary 10 Sep 14 2014 Annual Conference, Southern Institute for HI, Portsmouth (http://sihi.port.ac.uk/sites/2014) 17 Sep 14 BCS North London: “The Internet of Things”, London WC2E 7HA (https://events.bcs.org/book/1183/) 7 Oct 14 BCS: “How to Get the Best of Both Worlds by Combining PRINCE2 with Agile!”, London WC2E 7HA (https://events.bcs.org/book/1133/) 10 Oct 14 BCS “Real Artificial Intelligence”, London WC2E 7HA (https://events.bcs.org/book/1102/) __________________________________________________________ Address for correspondence: The Go-Between, c/o David Green, Director of IM&T, SW London & St George’s MH NHS Trust, Springfield University Hospital, Tooting, LONDON SW17 7DJ. [email protected] London & South East