Jocelyn S Paulley
Partner
Co-Head of the Retail Sector (UK)
Co-lead of Data Protection and Cyber Security sector (UK)
Article
8
The Information Commissioner's Office (ICO), regulator of the Data Protection Act 1998 and other privacy related legislation, recently published its latest findings on reported security breaches involving personal data up to the end of June 2016. At first sight, the figures make for depressing reading for the health sector; of 545 reported breaches in the period from April 2015 to June 2016, nearly half (243) originated in the health sector. The next closest sector was local government, with 62 breaches.
However, this seemingly poor performance by the health sector is misleading due to the following two factors:
So the very high number of health sector breaches is not solely due to substantially worse security practices in the health sector than elsewhere.
Another reason for the health sector to take heart is that the biggest numbers of breaches are caused issues that are relatively simple to address, such as:
Data security is an issue which will not go away. On the regulatory side, the hugely inflated levels of fines in the new General Data Protection Regulation (up to 4% of annual global revenue or £20million), which will come into force on 25 May 2018, bring compliance with data protection laws into sharp focus and put them on the corporate governance radar. Within the sector, Dame Fiona Caldicott published her Review of Data Security, Consent and Opt-outs in June 2016 which urged the health sector to address security as a blocker to patient trust and the sector's ability to share data. At grass roots level, data is being collected, transferred and used in more and more ways to enhance patient outcomes by providing more personalised medicine, better monitoring of health, increased accessibility to healthcare (i.e. remote delivery and consultations), more efficient journeys through the NHS system and better whole population management.
NHS Digital (previously HSCIC) is leading the way with its new CareCERT programme and products in order to change the approach toward security in health organisations. Various data security schemes and standards do already exist: the Information Governance Toolkit (IG Toolkit), the Cyber Essentials Scheme, the 10 Steps to Cyber Security, and the ISO/IEC27000 series. However, the IG Toolkit has often been seen as a tick-box exercise, the Cyber Essentials scheme is not yet widely used and the ISO standards are generally regarded as too expensive and time-consuming for this sector.
So, NHS Digital has created the Care Computer Emergency Response Team (CareCERT), which will issue national level threat advisories, publish good practice and guidance and run a national cyber security incident management function to try to put the NHS one step ahead of cyber attacks and vulnerabilities. CareCERT is still in its infancy (launched in October 2015 with three new services in September 2016) so it is too early to judge its success, although case studies from two early examples have shown it is having a positive impact. Its clear objective though is to overcome the public perception of distrust and, coloured by reports from regulators like the ICO, belief that health information is not secure when handled by the NHS.
It is vital that the health sector shows patients that they can trust it with their data in order to encourage patients to engage with the new tools available to them, which will bring healthcare benefits to individuals and society as a whole. The playing field is not currently level, as the NHS expects health organisations to report breaches. The majority of those breaches can be fixed easily as long as the sector implements some basic measures. This needs to happen before reporting is mandatory across all sectors to ensure that the health sector does not continue to make the headlines for the wrong reasons. It is also crucial to allow the health sector to take full advantage of digital transformation and innovation.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.