Information sharing versus patient privacy – Caldicott 20 years on
It’s hard to believe it’s nearly 20 years since the publication of the Caldicott Committee’s Report on the Review of Patient-Identifiable Information, commissioned by the then Chief Medical Officer of England to address growing concerns about confidentiality and the use of patient information in the NHS.
It’s just as difficult to imagine a time before data was shared electronically. Networks and other IT infrastructure are critical to the way our health and care systems function. Every step along the patient pathway, reliable access to information is pivotal to patient outcomes and operational excellence – but patient confidentiality just as vital.
Protecting patient data
The 1997 report resulted in six main principles, all focused on protecting patient information and respecting individual privacy, and the Caldicott Committee has continued to revisit the subject ever since. The dichotomy of sharing information versus respecting patient privacy has never gone away either, with reports of security breaches continuing to surface every now and then, from hacked NHS website passwords to loss of documentation that could lead to patient harm.
Interestingly, the Committee’s 2013’s Information Governance Review identified a seventh Caldicott principle with a slightly different perspective, namely that ‘the duty to share information can be as important as the duty to protect patient confidentiality’. Yet the Review of Data Security, Consent and Opt-Outs, published just under a year ago and which I mentioned last time, called for tighter data and information controls within the NHS – and tougher penalties for data breaches.
All of which demonstrates the complexity of achieving the right balance between sharing appropriate patient information and individuals’ rights to privacy and confidentiality.
Preventing data breaches
Last year’s review found that most patients are happy for their information to be shared, for both their own care and NHS purposes. Yet it’s all very well knowing when to share patient information appropriately; making sure the channels used for data transmission are robust and that personal data remains secure, is another matter entirely.
For those of us working in health and care IT, this means ensuring networks and systems are designed to combine information sharing with information safeguarding. From GP surgery to hospital and clinic, health and care organisations are vulnerable to data breaches. And from traditional PAS and departmental systems to third–party components and the Internet of Things – connected medical devices, wearables, telemetry, telehealth and health apps – the scope for both human error and malicious data breach seems limitless.
Challenging times require innovative solutions
Many NHS organisations have traditionally concentrated on perimeter and endpoint security for information governance and security, together with the belief that the national network will protect them. But as security threats continue to emerge and evolve – email, web, social, mobile, malware – it is no longer enough to focus preventing attacks, as recent events have demonstrated. Just look at the significant impact of the recent WannaCry virus. Cisco will continue to keep our customers and others updated, as well as continually working to mitigate such attacks via our Talos organisation. And we’ll have more on this next time.
It’s clear that organisations must take a more holistic and comprehensive pragmatic approach to security and one that includes control-plane protection and policing techniques – classification and rate limiting of traffic, for example.
Want to know more?
Of course, I am just scratching the surface of several very complex issues here.
More information can be found in Cisco’s Securing Digital Health and Care Communities guide, which discusses ten of the most important security challenges for health and care organisations. Whether you’re a Caldicott Guardian or CIO – in fact whatever your role within your healthcare organisation – it’s well worth a read.
We’ll be back soon to discuss more of the many security challenges faced by our industry, and how we can work together to address them.
