Information security risks in healthcare are growing as ever greater use is made of information technology to improve care outcomes. While there are undoubtedly medical benefits to increased sharing of medical information, given the number and diversity of healthcare organisations, it is becoming increasingly difficult to sustain trust.
Recently the NHS data sharing scheme Care.data was delayed by six months amid concerns about data safeguards and in particular about secondary uses of data. More recently the Health and Social Care Information Centre (HSCIC) shut down Earthware because its data services may have allowed inappropriate access to millions of patient records. While Earthware vociferously maintains that no rules were breached, health authorities were concerned that minimum security controls had not been applied. Many observers agree that ‘big data’ technology, which can aggregate data from multiple sources to create detailed dossiers on patients, is not being adequately governed.
These examples highlight the glaring problem that, as yet, there are no overall national or international standards for healthcare information handling. Although the NHS Information Governance Toolkit (IG Toolkit) provides useful guidance to NHS organisations and partners that adopt it, adoption is not mandatory. Even adopters of the IG Toolkit find that many aspects of medical information security and privacy are not clear. Looking outside the UK, the US government's Department of Health and Human Services is still in the early stages of rolling out an Audit Program to promote a level of consistency. As healthcare organisations increasingly rely on internationally hosted cloud computing solutions, the lack of consistent security and privacy standards throughout the sector creates ambiguity and confusion, with inevitable loss of trust.
Establishing clear lines of accountability and responsibility for managing healthcare information risks is imperative. Many healthcare providers partner with other organisations to deliver services. Currently each healthcare organisation needs to work out for itself what fundamental security policies and controls are needed and how they should be governed. With routine medical information exchanges occurring between staff working for different organisations, it is difficult for people without competence in information risk management to determine what security and privacy policies are applicable, which country's laws have precedence, who has primary responsibility for information security and privacy, what their own responsibilities for supporting information security are.
Embedding effective information security controls into clinical working practices across multiple organisations requires an understanding and experience in establishing an appropriate information governance regime. For instance, there must be consensus among collaborating parties about which roles within each organisation owns responsibility for which aspects of information security and privacy.
Simply understanding the importance of information security and privacy does not equate to being personally competent to assess or mitigate information risks. There is a strong business case for assigning Information Governance duties to Healthcare Certified Information Security and Privacy Professionals, i.e. to people who have proven through their knowledge, experience and personal commitment to relevant learning that they have the necessary competence.
Tim Williams, is an (ISC)2 Volunteer and international healthcare security and privacy consultant