Robin Ingram, Hytec's Senior Information Assurance Consultant comments: "Version 8 of the IG Toolkit makes it clear that all organisations, including GPs, must complete the IG Tooklit, and should have done so by 31st March 2011. The requirement is clear that 'assessments must be completed by all organisations that fall under the responsibility of the Depeartment of Health'."

Robin continues: "Version 8 of the Toolkit may be more prescriptive, and appear more complex than previous versions, however from a security point of view, this is a logical progression. It will provide a higher level of protection to both patient data, and the N3 network. We understand that having met the requirements of version 8, only very minor changes should be expected for version 9."

Robin concludes with a statement about the necessity for GPs to see the Toolkit as a facilitator for best practice information governance: "Meeting the requirements of the Toolkit will provide a strong starting point for organisational controls, which will be needed for future information sharing and joined-up working initiatives across the health and social care landscapes in which GPs will continue to play a significant role."

The full article from eHealth insider can be viewed here.

The Department of Health (DoH) has today announced that it is to scrap the National Programme for IT (NPfIT) because "a centralised, national approach is no longer required". However applications such as Choose and Book, Electronic Prescription Service and PACS will stay and be managed as IT services under the control of the NHS.

In line with the Coalition Government's whitepaper - "Equity and excellence: Liberating the NHS" - the DoH stated that "the National Programme for IT will no longer be run as a centralised national programme and decision making and responsibility will be localised." This means that trusts can now choose the systems they need in order to meet their needs and ultimately create a patient-centred NHS.

Read the announcement in full

The report investigates information governance (IG)* within the healthcare sector and identifies a number of critical elements of IG, including:

• Interoperability
• Data integrity
• Access control
• Security
• Data handling
• Data quality
• Consent
• Compliance

The report continues to discuss five disciplines of IG:

• Data privacy
• Data confidentiality
• Data security
• Data quality
• Data integrity

Accenture said: “By embracing the breadth of information governance, e-health practitioners can develop effective policies, processes and tools that support the enterprise-wide adoption of common information principles. This consolidated approach to information governance enables health care organisations to effectively manage, maintain and control patient information in support of robust patient care."

Read the report

* Information governance encompasses the processes, functions, standards and technologies that enable high quality information to be created, stored, communicated, valued and used effectively and securely in support of an organization’s strategic goals.

We spent five minutes with Robin Ingram, our Information Assurance Consultant, to learn more about the changes organisation’s face when they tackle the version 8 information governance toolkit. Robin has worked closely with Connecting for Health (CfH) and the Department of Health (DoH) for several years, providing them with feedback gained by helping organisations through the IGT process.

“The Information Commissioner’s Office describes poorly managed information assets as a ‘toxic liability’ and information loss as a ‘career ending event’. Despite this, there are still many reports of data security violations – the NHS accounts for over a third of all reported breaches. This new release of the IGT will help organisations to significantly improve their security processes," says Robin. "Version 8 is like nothing we’ve seen before. It’s a lot more time-consuming than previous versions and involves organisations to go into greater depth about their policies, procedures and processes.”

Read the interview in full

The Information Commissioner’s Office has described poorly managed information assets as a ‘toxic liability’ and information loss as a ‘career ending event’. Despite this, the NHS still accounts for over a third of all data security violations. Given the number of staff employed within the NHS, that statistic is perhaps not surprising. Nevertheless, losses of confidential patient records attract significant media attention and maximum fines of up to £500,000.

The Department of Health Digital Policy Team has designed the IGT assessment process to minimise information security incidents within the NHS. If individuals and organisations comply with IGT guidance, information security is considerably strengthened.

Everything in the IGT is there for a reason, either to protect:

• the N3 network and all organisations connected to it,
• Spine applications, or
• the confidentiality, integrity and availability of patient data.

Released on 30 June 2010, version 8 is considered to be more rigorous than its predecessors and includes several material changes. It’s more challenging to complete and a lot more time-consuming than previous versions as organisations are required to go into greater depth about their policies, procedures and processes.

Speakers
Robin Ingram
Robin is Hytec’s Information Assurance Consultant. He works closely with Connecting for Health and the Department of Health, providing them with feedback gained by helping organisations through the IGT process.

Robin is a Member of the BSI Associate Consultant Programme, a Security Advisor to the London Public Services Network (LPSN), an ISO 27001 Lead Auditor, ISO 27001 Internal Auditor and an ISO 27001 Implementer.

Who should attend?
Those responsible for, and tasked with, completing the IG Toolkit; including:

• Chief Executive
• SIRO
• IG Lead
• Information Asset Officer
• Data Protection Officer
• Caldicott Guardian
• IM&T Manager

What will they learn?
To help explain the changes in version 8, we are hosting a webinar. As well as having the opportunity to put questions to the speakers, participants will learn:

• what the changes are,
• what they mean,
• how it impacts the requirement to complete the assessment,
• what needs to be done before 31 October 2010, and
• the consequences of failing to comply

Date
Wednesday 22 September 2010, 11:00am – 12:00pm

 
Cost
This is a complimentary webinar, designed to share our expert’s knowledge and experience with organisations that are currently completing their IGT submissions.

Registration
To register please send the following information to webinar@hytec.co.uk

• Name
• Job role
• Organisation
• Phone
• Email

Mr Cross comments: "The NHS white paper contains one phrase that should fire us with excitement. It is, of course, 'an NHS information revolution'."

The healthcare sector is currently undergoing enormous change and the media is full of speculation on the future of the industry. Even though a full whitepaper is expected in the autumn on the NHS information strategy, outlining the future of initiatives such as the National Programme for IT, the recent whitepaper dropped some tasters of what is sitting on the horizon, for example: "NHS services will increasingly be empowered to be the customers of a more plural system of IT."

Mr Cross concludes the piece with: “The NHS that will be forged in the white heat of this information revolution will be worth it.”

To read the article in full, please click here

"The paper raises more questions than it answers. We don’t know what the coalition fully intends for the National Programme for IT in the NHS or the Summary Care Record. Primary care IT is currently supported by primary care trusts and there has been no mention of how that will work if we move to GP consortia."
Dr Richard Vautrey, deputy chairman of the BMA's GP committee

"The white paper could mean an end to a national approach - and the potential loss of good functionality. The white paper also raises the concerns that there is no current plan regarding informatics, and there is the potential for the fragmentation of support services."
William Lumb, IT clinical lead NHS Cumbria

"I think the IT system companies need to stop and listen to what GPs need and want, because I think clinical systems will need to change. For example, we are going to need whole area based appointment systems and we are going to have to get live data sharing up and running as soon as possible."
Dr Neil Paul, Sandbach GP

"The focus on the visibility of records, starting with GP ones, is interesting. We are going to need to rely on the sharing of information across services and systems very quickly; but I am not sure that the confidence exists at present."
Simon Whitehouse, director of primary care, Central and Eastern Cheshire Primary Care Trust

"NHS IT will have to become more customer focused, delivering business cases that demonstrate that technology really can release cash savings and tangible benefits as opposed to only soft benefits that are difficult to quantify."
Zafar Chaudry, chief information officer, Liverpool Women's NHS Foundation Trust and Alder Hey Children's NHS Foundation Trust.

To read the article in full, please click here

Lawyers at Field Fisher Waterhouse believe that most organisations are not reporting breaches. They say that the Information Commissioner's Office new powers to fine companies up to £500,000 for serious breaches of the Data Protection Act, are discouraging companies from owning up to data breaches.

The legislation would be introduced across Europe, and require all organisations to notify the relevant authorities as well as individuals affected in the event of a serious security breach involving personal data.

The proposed changes to the EU directive will be published by the EU Commission in November this year, and if approved, will have to be reflected in UK law by the end of 2014.

To read the article in full, please click here

IG SoC is the process that all organisations have to complete in order to access Connecting for Health (CfH) services, including the N3 network and Spine. The steps in the IG SoC process set out a range of security related requirements which must be satisfied in order for an organisation to secure the N3 network and its information assets.

Since 2007 the NHS has been responsible for almost a third (over 300 incidents) of all data security breaches reported to the ICO. In April, the ICO was granted the power to impose fines of up to £500,000 for organisations that fail to protect data. Yet despite this deterrent, some health trusts are still failing to achieve satisfactory IG SoC assessment ratings.

Director of Information Security at Hytec, Alan Hunt commented: “Data security is the responsibility of everyone involved in an organisation. Some of the most common security breaches are due to lost or stolen data on portable devices, and human error when disclosing sensitive information. Most mistakes can be overcome through staff training and use of appropriate technology such as encryption.”

“To still have some trusts on amber is concerning as it means that they do not have all of the processes in place to secure patient data,” said Mr Hunt. “Our IG SoC Gap Analysis Service helps trusts ensure they are compliant with the legislation and that they continue to follow best practice. The announcement of this service is timely given that all organisations must now submit their assessments for the latest version of the Information Governance Toolkit (Version 8), by 31st March 2011.”

Version 8 of the Toolkit, announced last week, is regarded as being more rigorous than its predecessors in that there are now only two grades of assessment: SATISFACTORY (coloured green) where level 2 has been achieved on all requirements, and NOT SATISFACTORY (coloured red) where level 2 has not been achieved on all requirements.

Hytec’s IG SoC Gap Analysis Service is carried out by a Senior Information Assurance Consultant and helps trusts to identify and bridge the gap between where they are currently and where they need to be. The service is tailored to the size and type of organisation and identifies areas that a trust or organisation needs to address in order to fulfil their IG SoC responsibilities.

Mr Hunt continued: “As well as completing the IG SoC assessment, trusts have a multitude of legislation that they have to adhere to. They are also facing increasing pressure to reduce costs and drive efficiency savings. So for trusts that want to go one step further, we offer an Infrastructure Review Service to assess the security, stability, scalability and compliance of their ICT networks.”

In addition to ensuring a trust is IG SoC compliant, Hytec’s Infrastructure Review Service checks that its network adheres to the latest best practice and governance whilst benchmarking it against NIMM (NHS Information Maturity Model). Furthermore, it establishes whether a network is secure for PID, looks for potential improvements for flexible and mobile working and helps determine areas for potential cost savings.

If you would like more information on the IG SoC Gap Analysis Service, or the Infrastructure Review Service, please contact us on 01865 887 428, or email enquiry@hytec.co.uk

Read what he has to say here

BJHC&IM highlighted the results of a recent survey of IT security professionals.

Incredibly, it revealed that over half of respondents (52%), admitted carrying unencrypted company data on a USB stick; of these 11% protect their devices with passwords alone.

To read the article in full, please click here

Features include:

• Making sure your electronic records are up to scratch
• GPs risk email security breaches
• When to disclose information - and when you should say no
• Let technology take the strain
• Survey on the future of IT

To read the issue in full, please click here

Public Technology has reported how the ICO is "highly concerned" after further data security breaches were made in two NHS Foundation Trusts.

Basingstoke and North Hampshire NHS Foundation Trust sent an unencrypted Excel spreadsheet containing the pathology results of over 900 patients was sent via an unsecured email address. Whilst Stoke-on-Trent NHS Foundation Trust filed 2,000 physiotherapy records incorrectly, putting them at risk of being accidentally lost or destroyed.

Mick Gorrill, head of enforcement at the ICO, said: "With a quarter of all data breaches reported to the ICO involving the NHS, the service needs to do more to protect patients' data. Everyone makes mistakes, but there are far too many within the NHS.”

To read the article in full, please click here

This article in BJHCIM reports on the findings of 'The Data Management Healthcheck 2010'; a global survey into hospitals' ongoing strategies for managing their IT systems.

It has shown that secure data management is the healthcare industry's most pressing issue as hospitals move from paper-based health records to electronic systems, with the top IT spending priority for 2010 being disaster recovery (44%).

To read the article in full, please click here

Hytec Microsystems was first established in June 1980, delivering mainframe protocols and communications solutions to NHS and local government customers. Over the years, the company evolved its focus towards information security and secure connectivity to networks such as the Government's secure intranet, GCSx and the NHS’s N3.

To celebrate its 30 year anniversary, Hytec will invest in a 12-month information sharing programme focussing on the sharing of expertise and best-practice models through a variety of media, including this blog, workshops, e-bulletins, technical webinars, executive briefings, case studies and white papers.

"We’re proud of the reputation we’ve built. For 30 years we have worked hard to develop our expertise and deliver business transformation services that really help our customers in achieving their goals," said David Bryant, Hytec’s Managing Director. "Today, our healthcare and local government customers are feeling greater budgetary pressure than ever. Hytec’s solutions and services are focussed on ensuring that our customers are able to benefit from the effective use of technology to deliver real cost savings and business process efficiencies."

This time Management in Practice reports how Lampeter Medical Practice breeched the Data Protection Act after downloading a database of 8,000 patient records onto an unencrypted USB stick, and then posting it to the Health Boards Business Service Centre. The USB stick never arrived at its destination and has now been deemed lost.

Thankfully the Practice is now reviewing its policies to ensure a similar issue doesn't occur in the future, but for any practice to use an unencrypted USB stick is an unnecessary risk.

To read the article in full, please click here

The figures suggest that the health service has a particular problem with the theft of devices holding personal data; emphasising the importance of encryption as the last defence for sensitive information.

The figures show that in the NHS:

• 116 data breaches were caused by stolen data and hardware
• 87 were caused by lost data and hardware
• 43 breaches from data disclosed in error
• 17 breaches from information lost in transit
• 17 from technical/procedural failure
• 13 from non-secure disposal, and
• 12 from 'other' causes

Following this report, the BBC announced that West Berkshire Council had lost a USB stick which was not encrypted or password protected. It contained information about the ethnicity and physical or mental health of several children in the region. The ICO said it was the second data security incident reported by the council within six months.

To read the articles in full please click the links below:

E-Health Insider

BBC

Jim Black, Marketing Manager at web filtering company Bloxx, comments:

"There’s hardly a day goes by without a major security breach or incident; and these are only the major incidents at larger, higher-profile organisations. It is safe to assume that IT security breaches and incidents are costing UK businesses billions each year."

He continues to discuss the results of a 2009 study by anti-virus vendor, Sophos:

"In the past, email spam and email-borne malware were considered to be the main attack vectors. Now the Web is the favoured route for the cybercriminals and hackers. However, that does not mean that the security risks of email have diminished, far from it.

Spam continues to be a major problem, with anything up to 95% of all emails sent every day being classified as spam. And email attachments, in particulars PDFs, continue to pose a significant threat.

However, more often, email is now used to drive recipients to compromised websites via web links embedded into the email message. It would appear that it’s all too easy for the hackers to be able to modify web pages to deliver malware onto unsuspecting visitors. Recent figures from Sophos suggest that a new infected Web page is found every 2.5 seconds and that 80% of these pages are to be found on reputable sites."

To read the article in full, please click here

IG SoC is the process by which organisations enter into an agreement with NHS CFH for access to the NHS National Network (N3). The process includes elements that set out terms and conditions for use of NHS CFH systems and services including the N3, in order to preserve the integrity of those systems and services.

The steps in the IG SoC process set out a range of security related requirements which must be satisfied in order for an organisation to be able to provide assurances in respect of safeguarding the N3 network and information assets that may be accessed.

At HC2010 on the 27 April, we launched our new "Infrastructure Review Service". The service is designed to check that a trust network is compliant with the latest best practice and governance, whilst benchmarking it against NIMM (NHS Information Maturity Model) and the IG SoC Toolkit. It will establish whether the network is secure for PID, look for potential improvements for flexible and mobile working and help determine areas for potential cost saving.

If you are interested in learning more, please email us, or call 01865 887 428.

They said: "Our main challenge is ensuring that our equipment keeps pace with advances in software because we are asking more of our PCs every day as we use more web based applications and voice recognition software. The hardware just can’t keep up.

We are currently in the middle of a protracted replacement of our aged PCs. As the new ones don’t have sufficient RAM to run our applications efficiently, we are having to pay to upgrade them ourselves.

We will strongly resist moves to hosted applications as we believe it is vital that we maintain complete control of our systems and data. We are, however, encouraged by iSoft’s move toward ‘virtual’ hosted applications which may offer us the best of both worlds."

To read the interview in full, please click here

This article in Smart Healthcare gives details of a speech by Deputy Information Commissioner David Smith.

In it, he says: "Today, people are willing to share more; a culture of reducing costs and sharing has emerged. Data breaches are still happening, and are often due to insider wrongdoing, or theft and loss of data on portable devices. There are too many organisations ticking the boxes, without investing in real measures to keep up staff training and awareness. Contractors and processes must be checked."

To read the article in full, please click here

Today we launched our new healthcare infrastructure solution, InfraShare™, at the Health Informatics Congress.  

Recognising that effective ICT solutions can only be built on secure, stable and scalable platforms, InfraShare allows trusts to share patient data and trust information securely by creating an N3-based network that:

• is consistent with the NHS Infrastructure Maturity Model (NIMM)
• is compliant with CfH Information Governance standards;
• provides a platform for centralised remote ICT support, which reduces the need for on-site visits by IM&T support engineers;
• enables remote deployment of antivirus, security patches and software updates;
• provides secure and authenticated remote access to GPs so they may review clinical data held within the surgery or central trust systems
• and, serves as a bedrock for secure delivery of further information sharing, mobile working, clinical or administration systems.

To read more about InfraShare, please click here

HC2010 is the UK's largest event for health informatics and social care professionals. The event focuses on IT systems and products designed to enhance and improve aspects of patient and social care.

We will be launching a new ICT solution at HC2010, which allows trusts to share patient data and trust information securely across the N3 network.

Our new solution creates an application platform that is secure, stable, scalable and compliant - an infrastructure for information sharing, an infrastructure that:

Firstly, he highlights that big central databases, such as the Summary Care Record, are attractive for hackers and this reduces the overall security of the information.

Secondly, he says that there are too many computer systems in NHS trusts and only a small number of these require a smartcard to access the information. Unfortunately, most of a trusts confidential information is held on these local systems so it is a lot easier for unauthorised people to access because: "People leave systems logged in and choose stupid passwords!"

Finally, Phil points out that most NHS organisations still have a considerable number of paper-based patient records. This is because under the current NPfIT programme, there are no plans to scan paper-based records and by law, trusts have to keep patient's records for several years after their death. Therefore, even if we stop producing paper-based records now, the last paper records would be destroyed in 65-95 years time.

Phil concludes by saying that the NHS still has a long way to go until it is completely secure. He believes that computer security is achieved by design not by after-thoughts; therefore it's important that trusts take their IT security needs seriously and be proactive about putting protective measures in place, rather than reacting once a security breech has occurred.

To read the article in full, please click here

In recent months the Information Commissioners Office (ICO) has highlighted the NHS as being one of the worst offenders for data loss, reporting as many incidents as the entire private sector.

Last week the ICO was finally given the power to impose fines of up to £500,000 for organisations who fail to protect personal data - so are GPs in your trust doing enough to safeguard their patient's information?

Our Director of Information Security, Alan Hunt, has put together a ten-point plan that highlights the most important security issues for practice managers.

To read the article, please click here

The British Medical Association (BMA) has just published a 50 point plan called: "Fit for the future – The evolution of general practice".

The report covers several areas within general practice including:

• Quality
• The changing NHS
• Commissioning
• Out of hours
• How GPs work
• The quality and outcomes framework
• Workforce
• Premises
• Information technology

Within the 'information technology section' the plan notes that "General practice has the highest level of computer use and literacy in the NHS", as "Modern healthcare relies upon high quality information technology (IT) systems supporting decision making, reducing errors (especially in prescribing), supporting business processes, improving patient responsiveness, enhancing audit and research, and enabling sharing of appropriate information."

The BMA believes that "Further development with general practice IT will require continual improvement in data quality, and the progression towards paperless practices. This will require appropriate safeguards for privacy, and provision and support of hardware and software solutions including those for scanning and mobile devices." And that "IT systems should continue to be developed to support inter-operability (use by different systems) and sharing of appropriate information."

They continue to outline the recommendations for GPs in relation to IT, which include:

• Support for data quality and moves to paperless practices need to be fully supported and financial incentives offered to facilitate such development
• IT projects should have realistic timescales, and a managed pace of change. More problems occur where projects have been rushed or badly thought through
• Concerns about issues of patient consent and confidentiality must be addressed
• Innovation in general practice IT needs to be encouraged, rather than top-down solutions being imposed. The core list of IT equipment should be expanded to allow practices to provide improved services for their patients
• NPfIT: In the National Programme for IT the GP elements in particular need to have a future. GPSoC and other agreements need to be honoured and progressed

To read the report in full, please click here

In this week's Pulse Dr Catriona James explains the new rules that are being introduced this month, that could see GP practices being fined up to £500,000 for a serious patient data breach.

The Data Protection (Monetary Penalties) Order 2010 will come into force on 6 April 2010 and could see GP practices facing fines of up to £500,000 for serious breaches of the Data Protection Act.

GPs are being advised to:

• Avoid inputting PID on to personal mobile devices such as memory sticks and PDAs
• Ensure they have an information security policy in place, covering issues such as the use of laptop computers
• Never put patient data on their personal computer
• Consider taking advice from IT specialists about ensuring the security of practice computer systems
• Be aware of Connecting for Health’s Good Practice in Mobile Computing, covering the secure use of laptops, PDAs and other mobile devices
• Report any loss of data to the nominated senior person within your practice, so that action can be taken and affected patients and the information commissioner informed if appropriate

To read the article in full, please click here

The survey asked every NHS trust in the UK for the number of their non-medical staff who had access to confidential patient records. Access was defined as being able to see at least a patient's full name, date of birth and most recent medical history.

The responses showed that 101,272 non-medical staff, such as hospital domestics, porters, and IT staff, had access to records. This was an average of 732 in each trust.

Big Brother Watch says this demonstrates "slack security and monitoring around those with access to patient medical histories."

Its director, Alex Deane, said: "The number of non-medical personnel with access to confidential medical records leaves the system wide open for abuse."

To read the article in full, please click here

Whilst NHS Berkshire West says, "the move will assist out-of-hours calls and enable clinicians to access vital information should a person become ill anywhere in the UK," many healthcare professionals across the region are worried about the security of the system.

Hungerford Surgery practice manager, Mike Hall, said: “With data protection issues an ongoing concern I would question whether the public really understand the change, and the process of opting out is rather convoluted.”

Whilst GP, Dr James Cave of Downland Practice, Chieveley commented: “While this is the future, my colleagues and I feel the problem is in the ability of the NHS to do this in a safe and secure way. In the current climate of ‘Big Brother’ fears it would only take one error for any problem to get out of hand.”

And ambulance technician Neale Marney, who volunteers with the West Berkshire Rapid Response Car, said: “I don’t want my records to be available electronically. With so many data protection issues to think about I wouldn’t support it myself.”

However, a PCT spokesman, Richard McCrann, said: “The system is very secure. Access is strictly limited to authorised staff who have a legitimate relationship with a patient who has given permission. NHS staff can only access the system through the use of a chip and pin-style smartcard, and no other government departments or agencies will have direct access.”

To read the article in full, please click here

Some GPs commented on IT issues. We have highlighted a selection of these below:

Post: 'The blue screen of death'
"I am not using the ‘smart’ card, as I have left it in the other branch, and (frankly) having the smart card loaded achieves nothing for my daily work."

Post: 'A difficult decision'
"...the most challenging consultation was a patient who has come to see me to ask if he should have surgery, as recommended by the consultant....Today’s consultation has been complicated by the fact that I do not have the recent outpatient letter, so I am not advising them on the most up-to-date facts."

Post: 'A visit from the PCT'
"...I had quite a bit of email about EDLs (Electronic Discharge Letters – don’t get me started on patient safety!)..."

A couple of weeks ago, we spent five minutes with a local GP to quiz them about their view of NHS IT. She said their current systems were frustrating and the PCT was less than helpful when it came to solving any IT issues they had. Overall, her main concerns were how to ensure better patient care through sharing information properly with the out of hours staff, and seeing that her patient's data remained safe and secure at all times.

To read the interview in full, please click here

The feature discusses systems integration following the Department of Health's shift from a "replace all" to a "connect all" philosophy. To obtain the right content for the feature, E-Health Insider interviewed Hytec's Head of Systems Integration and Chief Technical Officer of OLM Group, David Rivett.

David has worked in systems integration for 20 years, and was most recently involved at our proof-of-concept demonstration at Redbridge polyclinic. He says: “There are millions of pounds of savings to be made by integrating systems not just within an organisation but between organisations. The biggest frustration I have is that customers do not realise the value of information so do not want to pay for the integration.”

To read the article in full, please click here

SCRs will eventually link about 30,000 GPs and 300 hospitals to provide better coordinated patient care through online appointment systems, electronic prescriptions and faster computer links. Under the National Programme for IT, the aim is to create electronic records for 50 million people in England. So far, about 12 million patients in England have been sent leaflets with details about the new SCR system.

The system is designed so patients can opt-out if they do not wish for their information to be shared. However, the BMA is saying that the scheme is being rolled out too quickly and patients are not being given enough information to enable them to make an informed choice.

Hamish Meldrum, chairman of the BMA said: “The break-neck speed with which this programme is being implemented is of huge concern.....If the process continues to be rushed, not only will the rights of patients be damaged, but the limited confidence of the public and the medical profession in NHS IT will be further eroded.”

In December, the Department of Health (DoH) announced the acceleration for rolling out the system, but it has since been criticised for concerns over its security and a lack of enthusiasm from GPs.

In a separate article from Silicon.com, they highlight how the DoH has spent over £700,000 on a project to study the impact of introducing SCRs with the results of the study due to help informed the wider rollout of the system.

However, despite the fact that the BMA claim they were given assurances by the DoH that a national roll out would not proceed until the study's findings were published, it appears that the DoH are continuing with the mass roll, giving Strategic Health Authorities until March 2011 to create their records.

Whilst SCRs have the potential to save patients lives by enabling doctors unfamiliar with a patient to see an overview of their medical details - for example an out-of-hours doctor - not enough is being done to communicate the benefits of the system and this could prove disastrous for the success of this scheme.

In an independent survey of patients in areas where the SCRs have been piloted, it was found that seven out of ten patients were unaware that SCRs were being created.

To read the articles in full, please click the links below:

Times Online

Silicon.com

Anti-virus is not enough
Malicious programmes are being created at a faster rate than good programmes which are designed to protect your systems.

Social engineering as the primary attack vector
More attackers are targeting the end user, attempting to trick them into divulging sensitive information.

Social networking third party applications will be the target of fraud
We are continuing to see huge growth in the popularity of social media sites. Some of the applications available on these sites are designed to obtain your personal information or gain access to your computer.

Fast flux botnets increase
This is a technique used by attackers to hide phishing and malicious websites and it's becoming more commonplace across the Internet.

URL shortening services will become the phishers best friend
When faced with a 'short URL' it's impossible to know where you will be directed to. This means that phishers can easily disguise their malicious sites and lead users astray.

This whitepaper isn't supposed to scare users into thinking they're constantly under attack from Internet fraudsters; it's designed to make you more aware of the security threats so you can put in place appropriate processes to protect your network.

Many of these processes will involve the end users themselves - for example being wary of suspicious emails, not giving out personal information online and not clicking on URL's if you don't know the site they're taking you to - others will stem from the IT department who will need to have appropriate anti-virus and encryption software in place.

To read the whitepaper in full, please click here

The BJHC&IM has highlighted the results of a recent survey, of 1,200 people across Britain, by Dictate IT.

The survey found that whilst 89% of the public believe that it is possible to increase efficiency within the NHS, 70% think that information technology in NHS trusts contributes towards better care for patients.

To read the story in full, please click here

NHS Chief Executive David Nicholson has introduced Board Exchange, a new online environment which provides NHS trust boards with access to principles, tools and resources that will help members share ideas and best practices to the benefit of patients and the local community.

In this video, David Nicholson introduces the new Healthy NHS Board principles and talks about how they have the potential to improve board performance. Meanwhile, Elisabeth Buggins, Steve Barnett, Yvonne Nugent and programme managers Gerry McSorley and Geoff Wedgwood, talk about how Board Exchange will bring together the latest thinking and best practices in a way that gives every board member the chance to participate and learn.

To watch the video, please click here

This week we announced the newest members of our healthcare team – Keith Eyles and Tim Henstock.

Our Managing Director, David Bryant, said: “The addition of Keith and Tim to Hytec's healthcare account team will enable us to extend our coverage and reach more trusts.  Their market and technology experience will also be invaluable in delivering solutions that support both clinical staff and PCT professionals in their day-to-day work." 

To read the release in full, please click here

"Data security concerns me because I don’t think we have adequate systems in place to protect patient information."

"It’s often the case that we leave patient information visible on computer screens, so when the cleaner or whoever else has access to the surgery comes along, they can read a patient’s medical record."

"Another big problem is communicating information with the hospital. If a referral is urgent, we have to fax the information to a secretary in the hospital. This fax includes the patient’s name and details – all it takes is for us to dial one wrong digit and the confidential information could go anywhere. We don’t even get an acknowledgement to say the hospital has received the fax. We’re constrained by PCT policy as we have to make urgent referrals on the day we see the patient, but the hospitals won’t accept or there is no system for electronic referrals."

"I also have a real issue with the PCT doing audits and accessing patient identifiable information. The PCT prescribing lead often comes to the surgery to audit us. When she comes to assess us for QOF, she wants to see our mental health parameters. I don’t think she should be able to view patients’ records and see confidential information – but the PCT insists on auditing our QOF data. We have a device that we have to physically put over our screen to block out the patient’s name and protect their privacy. The whole system is ridiculous."

"I know smartcards are supposed to be the answer to all of this. I have one but I don’t use it because at the moment my computer isn’t even equipped to take it."

Following months of data security breaches, reporter Daloni Carlisle investigates possible solutions to help healthcare organisations fulfil their obligations to keep patient's details safe.

In this special feature, Hytec's Director of Information Security Alan Hunt gives his advice on data security along with other industry experts.

To read the article in full, please click here

A recent survey of 32 million passwords by security firm Imperva has highlighted the most common passwords we choose to protect our data. The top 10 are:

• 123456
• 12345
• 123456789
• Password
• iloveyou
• princess
• rockyou
• 1234567
• 12345678
• abc123

Using a weak password, like the ones listed above, will leave your information vulnerable and prone to attack. By following these five simple steps, you can be sure that your data is safe and protected.

Step 1) Always use strong passwords. A strong password:

• Is at least seven characters long
• Does not contain your user name, real name, or company name
• Does not contain a complete dictionary word
• Is significantly different from any other passwords you use
• Contains uppercase letters, lowercase letters, numbers and symbols

Step 2) Never write your password down or share it with anyone

Step 3) Don't use the same password for everything

Step 4) If you believe someone knows your password, change it immediately

Step 5) Don't allow your computer or Internet browser to save passwords for you

To read the story, please click here

An international survey of small and medium hospitals, by the HIMSS Analytics and sponsored by Dell, asked IT executives to assess the readiness of their hospital data centres to support new information demands such as electronic medical records.

The results showed that as well as demand on the data data centres increasing between 20% - 50% over the next two years, the UK IT executives face a number of challenges if they are to efficiently manage new information demands. These include:

• A lack of security standards
• Declining budgets - 50% of IT executives indicated that their IT budgets would decrease in the next two years
• Administrative efficiency as the top IT priority - rather than technology at the point of care
• Scaling and management of storage

Jamie Coffin, Vice President of Dell Healthcare and Life Sciences commented: “We must ensure that all hospitals — large and small, new and existing — are equipped with the right IT infrastructure to support information demands today and in the future. We cannot simply throw servers and storage at information demand or complexity will over-run IT budgets and leave little support for the strategic HIT priorities which support healthcare reform and business initiatives.”

To read this story in full, please click here

Have you seen the article about Hytec's information sharing proof-of-concept in January's "Health & Care Management," the official journal of the Institute of Healthcare Management?

Pages 13-14 carry a feature entitled "Polyclinics get in gear" about the work we carried out at Redbridge Polyclinic.

Running polyclinics or developing polysystems highlights one of the fundamental problems facing PCTs: how to share information.

Redbridge Polyclinic is home to over 20 services, and practitioners, clinicians and nurses working in the polyclinic need to have access to these different systems to obtain information about their patients.

Redbridge Polyclinic undertook an innovative proof-of-concept demonstration to integrate various IT systems. Using our integration framework, Integral Xchange™, we were able to demonstrate a solution that pulled together information from three disparate systems - EMIS, Tynedale and CareFirst - allowing records to be consolidated, viewed or updated at the point of clinical service delivery. This was achieved within the context of providing better-coordinated care for patients, while maintaining the privacy, accuracy and security of information in each system.

Our solution enables healthcare professionals to have:

• Real-time information from multiple sources
• A 360 degree view of a patient’s care
• The ability to book appointments directly without having to access any specific system
• Consolidate, report and analyse information from multiple systems
• Promote and foster information exchange
• Plan and better allocate resources, improve the clinic’s efficiency
• Produce better health and wellbeing outcomes for patients

In reviewing the outcomes of the project Conor Burke, Borough Managing Director, NHS Redbridge said: "Greater use of IT systems to manage, track and, in some cases, pre-empt medical conditions are a key element of our vision to offer more effective care closer to home. It is a case of working smarter and making better use of the data we already have. This offers a clear integrated system that supports our goal of helping create ‘seamless’ healthcare where patients are treated quickly and effectively."

To read the story in full, please click here

This story from E-Health Insider explains how flaws in IE6 have led to attacks from hackers, leaving computer systems vulnerable and exposed.

CfH issued guidance telling trusts to obtain a patch update to resolve the issue in the short term. The guidance continued by recommending that "Organisations still using Internet Explorer 6 on the affected platforms upgrade to Internet Explorer 7. Internet Explorer 7 has been warranted to work correctly with Spine applications such as the Clinical Spine Application and provides additional security features over Internet Explorer 6.”

If you are unsure of how to deal with this security threat, CfH are advising all trusts to contact the Department of Health Informatics Directorate Infrastructure Security Team.

To read the story in full, please click here

Charles Gutteridge will today begin his appointment as the UK's first national Clinical Director for Informatics.

Having previously worked as Medical Director and Caldicott Guardian at Barts and the London NHS Trust, he has now been appointed to provide a clinical perspective on how new technology should be introduced in the NHS under the National Programme for IT.

The role, which was previously overseen by Director General of IT Richard Granger, is now performed by four people within the Department of Health (DoH):
 - Christine Connelly, CIO
 - Tim Donohoe, Head of Programmes and Operations
 - Carol Clarke, Head of Resources, Services and Governance, and
 - Charles Gutteridge, Clinical Director for Informatics

Charles describes his role as encouraging "dialogue between clinical staff, patients and informatics providers," adding, "My colleagues know that good, accessible information enormously raises the quality of treatment and diagnosis we can provide to the public."

To read the story in full, please click here

Earlier this week, Justice Minister Michael Wills laid a statutory instrument before Parliament setting a £500,000 fine for companies that fail to protect sensitive personal data. Under the legislation, the Information Commissioner's Office (ICO) can fine companies if "the data breach resulted from a deliberate act or negligence and is likely to cause damage or distress to an individual."

Between 2007 and 2009, 209 NHS health trusts and bodies suffered data security breaches. At present, the ICO only has the power to serve companies with an enforcement notice requiring them to improve data security or face legal action. Unless Parliament objects to the proposal, the legislation will come into effect from the 6th April, and companies failing to comply will be forced to pay the £500k fine.

To read the story in full on Silicon.com, please click here

Over the last 6 months, use of social media has increased dramatically:

• Twitter usage by 250%
• Facebook usage by 192%
• SharePoint usage increased 17-fold, and
• Blogging and wiki editing increased by a factor of 39

However, as more people use these web-based applications, security risks increase. However, many organisations now have outdated IT infrastructures or usage policies that fail to protect them from these growing risks.

The survey revealed that of the 255 web applications in use, 70% are capable of transferring information. Of these 70%, 64% have known vulnerabilities, 28% are known to propagate malware, and 16% can tunnel other applications. Whilst most are not necessarily malicious, some are specifically targeting social networking sites such as Facebook and are designed to hijack your accounts to steal your personal information.

Whilst some organisations are taking a blanket approach and banning all social media, this is not always the right approach as collaborative technologies can also deliver many business benefits. The key to managing the risks associated with social media is to ensure that your systems are designed with security in mind, that your security software is up-to-date and that you have an appropriate usage policy.

To read the story in full, please click here

Below is an extract:

"By 2022, 20% of the English population will be aged over 65 and by 2027 the number of people aged over 85 will have increased by 60%. As well as putting more demands on our healthcare system, this increases pressure on social care organisations as they face growing numbers of patients with complex conditions such as dementia and chronic illnesses associated with old age."

Hytec's Director of Information Security Alan Hunt continues by outlining some of the current initiatives for co-ordinated care, and explains how safer information sharing is a key factor.

British Journal of Healthcare & Information Management - Click here to read the article in full

In the article Hytec's Director of Information Security, Alan Hunt, highlights several IT security dangers that you should be aware of, and best practice for overcoming them, including:

1) Good Practice Guidelines
2) Information Governance Toolkit
3) Connecting to N3
4) Mobile and remote working
5) Role-based access
6) Allowing others to connect to your network
7) Safe computing
8) Storing data on devices
9) Caldicott Guardians
10) Further advice

To read the article in full, please click here

The Data Protection Act says: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

However, the ICO states that: “There is no ‘one size fits all’ solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances.”

Therefore to help you, we are highlighting some key areas for you to address. The following exerts on information security are taken from Principle 7 in the ICO’s “Guide to Data Protection”.

What needs to be protected by information security arrangements?
The requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data.

So the security measures you put in place should seek to ensure that:

What kind of security measures might be appropriate?
The Data Protection Act does not define the security measures you should have in place. However, particular security requirements that apply within particular industries may impose certain standards. (e.g. the Department of Health’s ‘Good Practice Guidelines’)

Physical and technological security, and management and organisational security measures are likely to be essential.

Management and organisational measures
Carrying out an information risk assessment is an example of an organisational security measure.

Not every organisation will need a formal information security policy, however all organisations will need to be clear about related matters such as the following:

Staff
It is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy, and that they put its security procedures into practice.

Physical security
Physical security includes things like the quality of the doors and locks, and whether premises are protected by alarms, security lighting or CCTV. It also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure.

Computer security
Your computer security needs to be appropriate to the size and use of your organisation’s systems and your security measures must be appropriate to your business practices. For example, if you have staff who work from home, you should put measures in place to ensure that this does not compromise security.

Computer security is constantly evolving, and is a complex technical area. Depending on how sophisticated your systems are and the technical expertise of your staff, you may need specialist information security advice.

If you have any questions relating to security in your practice, one of our security consultants will be happy to assist you. Please call 01865 887 428.

Alternatively, to read the guide in full, please click here

94% of GP practices now use Choose and Book as their standard method of referral.

Health Minister Mike O'Brien said: "We know that Choose and Book works well for many thousands of people every day, giving patients much greater involvement in the decisions about their healthcare. When properly implemented, Choose and Book can provide significant benefits not only for patients, but also for referrers, providers and the wider NHS by delivering choice, certainty, security and reliability."

The guidance covers 10 areas as well as a summary of responsibilities:

• Clinicians using the system themselves
• Free choice
• Promoting the use of Choose and Book
• Acting on behalf of referring clinicians
• Technical support
• Referrals to named clinicians
• Clinicians reviewing referrals online
• Training
• Availability of appointment slots on Choose and Book
• Directory of services

 To read the guidance in full, please click here

CfH cites the following risks associated with using social media:

Another day, another data security breech. This report from E-Health Insider tells how a laptop containing over 600 medical records, was stolen from the Scottish Ambulance Service. The records contained details of patients’ names, addresses and treatment.

Whilst the service has an encryption policy in place, staff had failed to follow procedures; on this occasion, the only security in place was password protection.

One of the most important factors in IT security is people. Everyone is responsible for keeping patient records safe, so you must ensure that all staff are trained and familiar with your data protection, and IT security policies. By ensuring your staff adhere to these procedures, you can be sure that your data remains safe and your patients’ privacy protected.

To read the full story, please click here

Great Yarmouth and Waveney PCT and Gloucestershire PCT were found to have breached the Data Protection Act by the Information Commissioner's Office (ICO) following the loss of over 3,000 patient records.

In Great Yarmouth and Waveney PCT, the ICO identified the following breeches:

Mick Gorrill, Assistant Information Commissioner at the ICO, said, “Both of these cases have put thousands of patients’ sensitive personal information at risk. Personal information is valuable and keeping it safe and secure should be at the heart of good corporate governance.”

The ICO has now started formal undertakings with both PCTs.

To read the article in full, please click here

Following several pilot studies over the last few years, the Princess Street Group Practice in Southwark, London, will be the first organisation in the city's upgrade to upload their records on the 19th November.

Summary Care Records contain details of patient's medications, allergies, adverse reactions and other key information. They aim to enable data to be shared more easily, allowing doctors to "rely on accurate information rather than patient recollection."

Whilst many critics have raised concerns about data security, due to the sensitive nature of the information, many others have praised the system and believe it will help the industry to provide better patient care:

Director of The Patients Association, Katherine Murphy said the system had "great potential for making care safer."

Health Minister, Mike O'Brien said, "Having the right information at the right time can make all the difference to patients' experience of urgent care."

To read the full story click here

This article from the BBC highlights the frustration of the Information Commissioner’s Office (ICO) due to the increasing number of incidents relating to the loss or theft of personal data during the past year, citing “NHS hospitals holding private medical records were among the worst offenders.”

In the last year there have been 434 organisations (including 200 hospitals) reporting data security breaches – a 64% increase compared to last year. The ICO has stated that from 2010, organisations that break the rules will face fines of up to £500,000.

Deputy information commissioner David Smith said, "Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media."

Everyone is responsible for protecting patient data and there are several simple steps that can be taken to ensure information remains secure, including:

Pavilion is the leading publisher and event organiser for professionals delivering public services. One of its information services is 'CareKnowledge.com'; a social care knowledge portal used by 15,000 social care professionals, providing the latest information on best practice, as well as insight, commentary, special reports and features.

This case study features a project Pavilion undertook with Stockport Council’s Adult Social Care Directorate, that challenged Pavilion to implement a new communication and engagement programme for its staff.

CareKnowledge was deployed and now allows staff to access department information and sector initiatives in an informal manner through blogs, podcasts, ‘taking head’ videos and audio clips. The service enables two way communications by allowing staff to offer their thoughts and debate with colleagues. The service has proved successful and usage has increased by 70%.

Read the case study here

CQC chief executive Cynthia Bower (right) said, "It is important that basic systems to share essential patient details are working effectively to get the right information to clinicians at the right time to minimise these (medication related patient safety incidents) risks."

Our experience from working with IT within the public sector has shown that most organisations are reluctant to share information because of their fears over data security and privacy. However, these issues are easily resolved and should not form a barrier to information sharing:

Sharing data between GPs and hospitals is essential to effective patient care. The N3 network was created to help facilitate better communication between healthcare organisations. And there are many solutions available to help protect the security and privacy of the information as it is shared.

As specialists in IT security we are happy to answer any questions and offer advice on how to ensure your patient data is secure; just call 01865 887 428.

To read the article in full, please click here 

In response to the Care Quality Commission's (CQC) finding that some patients are at risk from mixing medicines on discharge, the RCGP's Professor Steve Field called for a move to "improve communication between hospital specialists and GPs." 

N3 provides the infrastructure to enable primary and secondary care to work better together. While hospitals and GP surgeries use different clinical applications, there are few technical barriers to sharing information once users have taken the necessary steps to protect patient identifiable data. We have recently completed a proof of concept project with a London polyclinic that demonstrates how easily information can be shared between disparate systems to give clinicians a 360 degree view of patient care. Watch out for more details soon...

Read the RCGP's comments here 

This week Connecting for Health has issued the following guidance: "Managing inappropriate access to patients’ demographic information using National Programme for IT and local systems and services."

The PDS (Personal Demographics Sewrvice) is a national electronic database of patients' demographic information - for example their NHS number, address and contact details - and underpins electronic care records across the NHS.

Whilst the PDS is already accessed by GPs and healthcare professionals through systems such as Choose and Book and the Electronic Prescription Service, this latest guidance sets out who should be accessing the system, why, and the consequences of accessing patient information inappropriately.

In a GP surgery, it is the Practice Managers responsibility to ensure that information is accessed correctly in accordance with the legislation. However all individuals working within the NHS have a contractual obligation to comply with the NHS Code of Conduct for Confidentiality.

Anyone accessing the PDS inappropriately will be guilty of professional misconduct and could face the following action:

• Criminal action under the Data Protection Act
• Civil action for breach of confidentiality
• Disciplinary action under terms of contract of employment
• Preventing the user from ongoing access to computer systems – this sanction is available to primary care trusts under the terms of GMS/PMS contract with practice
• Action by General Medical Council for breach of patient confidentiality

To read the legislation in full, please click here

In this week's Pulse, the focus is again on the Conservatives health plans to move away from centrally managed IT systems and operate on a local basis. As shadow health minister Stephen O’Brien (right) said, "We can secure a better deal for both patients and the tax payer if records were held locally."

Networking within the current PCT areas would allow healthcare organisations to share information and deliver better co-ordinated care to patients. However, before any systems are put in place it's important to build a secure foundation on which the IT infrastructure can operate.

The following three core technologies must be in place to build a secure foundation:
1) Authentication: checks that a bona fide user is attempting to access the network.
2) Encryption: protects data transferred across the network.
3) Firewall: protects data at rest on equipment connected to the network.

Ensuring a secure foundation will ensure patient data is safe, private and accurate and this will ultimately lead to better overall patient care.

To read the story in full please click here

When asked about what they thought of the current system for delivering and maintaining electronic health records in England many respondents’ comments reflected that whilst the idea is welcomed, the implementation was poorly executed. For example, "NPfIT is a GOOD idea BADLY implemented," and "good concept, badly managed."

Although the completion of the NPfIT may be several years away, there are several interim solutions that healthcare organisations can put in place now to enhance their operations. 86% of respondents believed that interoperable systems were the best way to deliver electronic health records, rather than through centrally purchased common systems.

To be successful the focus needs to be on integrating current systems on a local level, for example within a PCT, to provide patients with better co-ordinated care and meet the specific needs of the local community.

To read the story in full, please click here

In this week’s issue of Pulse, they discussed the announcement from health secretary, Andy Burnham, that restrictions on GP practice catchment areas will be scrapped by autumn 2010.

Whilst this initiative will provide patients with greater choice over where they are treated, many doctors are concerned over the logistics of controlling a system where patients can visit multiple practices in different PCT areas.

The key to making the system work and enable healthcare professionals to offer high standards of care is through enabling greater communication and more effective information sharing.

The N3 network has specifically been designed to share patient data. Furthermore, the creation of COINS across the network means that health and social care organisations are better connected. Having the correct IT infrastructure in place will allow doctors easier access to a patient’s medical history, and in turn this will lead to consistent, high levels of care regardless of where the patient is treated.

To read the article in full, please click here. 

This new network has recently been launched by the NHS and is a fantastic resource for the industry. By enabling healthcare professionals to network and discuss the issues that really matter it will help to better connect specialists and offer a better service for their patients.

To read more about the network and sign up click here.

Earlier this week we were speaking with a local GP who was telling us about their practice’s new software for file sharing and her frustration with the IT manager within their PCT.

Their current system is paper based, time consuming and highly inefficient. To address the issue her practice manager had spent several hours in meetings with solution providers and had read through several proposals for installing a more effective solution. 

When we asked her why they had chosen to do everything in-house rather than ask their PCTs IT manager for assistance the answer was quite surprising. Her view was that the PCT wasn’t interested in offering them guidance and listening to the needs of the local practices on an individual basis.

Even though the PCT is responsible for several practices in their catchment area, the IT manager should still be responsible for investigating possible solutions and offering a list of recommended suppliers. Working in this way would allow the PCT to standardise their IT systems across all the health organisations in their area, offer better levels of support and potentially reduce costs.

“and who will bear the responsibility for the security of these records, the NHS or the patient?”

As experts in IT security, we have thorough and in-depth knowledge about issues which affect IT systems and how to overcome them. We have read through and understand the mountains of guidance and legislation that governs what technology can and cannot be used in the public sector.

For example, if patients have access to their records over the NHS network N3, according to guidance issued by Connecting for Health they need to ensure an EAL4 compliant firewall is present to protect the data. However, unless you work as an IT Manager within a PCT you’re unlikely to know that, or indeed understand what EAL4 compliance actually means.

If the NHS does move to a local IT infrastructure with provide patients with increased access to their records are we now expecting patients to be up-to-date with the latest guidance? Are we expecting them to pay to put in place appropriate security measures to protect their personal data and the security of the whole NHS IT infrastructure?

These issues need to be clarified because Karen is right to be concerned - who will take responsibility for the security issues?

To read the story in full, please click here.

• Replacing the central IT infrastructure with local systems able to transfer records between GP practices and local hospitals
• Allowing patients to edit their own health records ‘and to choose whether or not to share this information with third parties’
• Encouraging the use of private sector and open source software across NHS IT

There are many potential issues with adopting this approach as expressed in the article by BMA’s head of science and ethics, Dr Vivienne Nathanson:

“We’re concerned by the suggestion that healthcare staff could be restricted from accessing important clinical information....If the information they have is incomplete there could be implications for patient safety....There are also concerns about the security of web-based systems and ‘strong safeguards’ were needed to protect patient data.”

If we are going to move to a decentralised approach it is essential that procedures are in place to ensure that healthcare professionals still maintain appropriate access to medical records and ensure they are able to treat the patient effectively and uphold a sufficient level of care. If the desire is to prevent unauthorised personnel from accessing information stored within the records, there are simple measures that can be put in place – such as authentication or controlled access rights – that are far less radical that allowing patients to delete parts of their medical history.

Furthermore, if the emphasis of the NHS IT infrastructure is on local provision, it is important that adequate security measures are put in place to protect information from falling into the wrong hands – for example installing firewalls at GP practices and encrypting data.

Irrespective of whether the Conservative’s plans are implemented, it is important that health organisations adopt these best practice procedures for their IT systems to protect and secure their data.

To read the story in full, please click here.

Yesterday we were speaking to a Practice Manager about the Summary Care Record. They shared with us their fears about other people accessing their patient’s data that are not authorised and have no reason to know their intimate details.

This could easily be overcome through controlled access rights which let people see only the information they need to. For example, a receptionist would see the patient’s personal details, but the doctor would be able to view their complete medical history.

At the same time there is clearly a need to ensure that the SIRO and any organisational IAOs work closely with the Caldicott Guardian and consult him/her where appropriate when conducting information risk reviews for assets which comprise or contain patient information. Organisations should consider whether the Caldicott Guardian should ‘sign-off’ information risk reviews in these circumstances.

The following is taken from guidance issued by Connecting for Health:

The SIRO

• Is accountable
• Fosters a culture for protecting and using data
• Provides a focal point for managing information risks and incidents
• Is concerned with the management of all information assets

The Caldicott Guardian

• Is advisory
• Is the conscience of the organisation
• Provides a focal point for patient confidentiality & information sharing issues
• Is concerned with the management of patient information
  

In this article (published in the British Journal of Healthcare and Information Management), Hytec's Director of Information Security, Alan Hunt, discusses the issues involved in maintaining the security of the communications infrastructure needed by primary care trusts. He then explains how meeting the security guidelines of the NHS N3 network can help trusts reduce their support costs and offer real benefits to GP practices

To read the article, please click here.

Earlier this week we spoke to a local GP who voiced their concerns over their out of hours service. If patients are at risk they have to leave records with the out of hours staff alerting them to their medical history. Each morning the doctors walk into notes from the patients that were seen the previous night which need to be manually typed into their patient’s records.

It’s an unnecessary task which could easily be eliminated using an IT solution and providing direct access to patient’s data.

Have you seen our latest article in this month’s Practice Business magazine?

The article focuses on how GP practices can make multi-site working more efficient, effective and safe. The piece includes comments from our Information Security Director, Alan Hunt (left), with his views on how IT has a big part to play in improving data security.

If you've missed the magazine but would still like a copy of the article, just drop us an email here.

In this commentary by our Director of Information Security Alan Hunt, he explores some of the security issues facing NHS IT.

“While the NHS has made some attempts to secure its networks, the onus now falls on health trusts to make sure patient data is safe,” Alan Hunt.

To read the story, please click here.

However, whilst this move to a system of paperless records is encouraging, it’s also important to ensure that the IT systems themselves have appropriate security measures in place to ensure that the data remains secure both when at rest and whilst in transit

To read the story in full, please click here.

Guidance from the BMA and RCGP recommends that GPs prepare to adjust their usual method of working so that they can segregate patients easily. This means sharing staff and resources with a ‘buddy’ surgery, or working in clusters across the PCT. But if you have to see your patients away from your normal surgery, will you be able to access their records?

The most flexible approach is to link all the surgeries across a PCT to build a ‘secure community’. Each surgery in the community must connect to N3 through a compliant firewall, and you must encrypt patient data before transferring it across the network. In our experience, this setup provides good support for pandemic working conditions.

There are no shortcuts when it comes to securing patient data for multi-site working, but the benefits of building a flexible and secure local network will last beyond any pandemic. With the right technology N3 can help GPs in other ways. For example, it allows PCTs to provide remote support for GPs’ IT systems, and saves time, money and unnecessary travel. It also enables GPs to access patient notes from home and share them with out-of-hours doctors.

To read the story in full, please click here.

In recent months we have seen a number of security breaches highlighted in the media and it is becoming apparent that patients are losing trust in the NHS and its ability to keep their personal details safe.

This new guidance is a welcomed development within the industry providing practical advice for data guardians. Whilst we can develop the safest IT systems in the world, it’s of no use if the people using them are not properly trained on best practice for data security.

To read more, please click here.

However, what caught our attention was the comment one reader has left: “isn’t N3 meant to be secure?”

It’s a common misconception that N3 is secure – it isn’t, and GP practices and PCTs need to ensure that they have the appropriate security in place when they connect to N3.

“Information is unencrypted when transmitted over the network therefore confidentiality of sensitive information within N3 is not assured.....It is therefore advisable for Existing Systems to take the appropriate measures to ensure that sensitive data is secure before connecting to N3.” Source: Secure use of the new NHS network (N3) Good Practice Guidelines.

To read the story in full, please click here.

• Justify the purpose for which the information is needed.
• Only use personally identifiable information when absolutely necessary.
• Use the minimum personal identifiable information possible – if possible use an identifier number rather than a name.
• Access to the information should be on a strict need to know basis.
• Everyone should be aware of his/her responsibilities to respect clients confidentiality.
• Understand and comply with the law. The most relevant legislation is the Data protection Act 1998, the Police & Criminal Evidence Act 1984 and the Human Rights Act 1998.
  

To read the Caldicott Principles in full, please click here.

GPsecure will help PCTs meet NHS Connecting for Health guidelines to ensure that GP surgeries within their trusts are electronically secure. While N3 is a private network, the integrity of its data depends on it’s users having secure connections.

Information security within primary care is something that the general public cares deeply about. The Information Commissioner’s Office has taken action against a number of PCTs recently because of lax data security. The NHS N3 network is not inherently secure, and PCTs must act to protect patient data and their legacy applications.

To read our press release in full, please click here.

Under the Personal Data Guardianship Code (issued by the Britich Computing Society) there are several key areas that need to be addressed:

• Accountability
• There should be clear management, responsibility, and processes for collecting, retaining, identity matching, sharing, disseminating, disposing of, risk assessment, security and audit of personal data.
• Consent
• The collation and use of personal data must adhere to the Data Protection principles.
• Furthermore, where possible patients should be given as much control as possible over how their data is used.
• Visibility
• Patients have the right to be informed of and have access to their records. They can amend their details and request to know who has access to them.
• Stewardship
• Once patient data has been collected, the organisation has a duty of care to protect the information throughout its lifespan, and to ensure it is disposed of safely.
• Access
• Patients have the right to know the roles and groups of people in an organisation that have access to their personal data.
• Responsibilities
• GP practices and other healthcare organisations should have data security and data privacy policies.
• These policies should make it clear who is responsible and accountable for the data.
  

To read the Personal Data Guardianship Code, please click here.

Breaches range from stolen laptops, lost USB sticks, storing unencrypted data and abuse of smart cards. Whilst these security breaches are unacceptable, they are also avoidable through implementing simple measures.

Many portable devices today have ‘stun and kill’ features. This means that should your mobile, laptop or PDA be lost or stolen you can remotely access the device and stop unauthorised people accessing the equipment.

Many GPs and healthcare professionals are increasingly using USBs to store sensitive information. However, NHS IT initiatives such as N3 and Spine are designed to enable information to be stored in one central location. This enables widespread access to data and prevents the need to download any information.

Everyone working in the NHS has a duty or care and responsibility to safeguard patient’s data. Even simple measures such as encrypting data when in transit and at rest can make a huge difference by preventing security breaches and restoring the public’s faith in the healthcare system.

To read the story in full, please click here.

Under the GPG there are eight main areas that GPs need to address:

1) Modernising information management and technology in general practice

The main considerations are:

• Choose and Book – an electronic booking service for hospital appointments
• ETP – electronic transfer of prescriptions
• NHS Care Records Service
• N3 – the IT infrastructure that supports these applications
  

2) Patient record systems

GP practices need integrated systems with appropriate arrangements in place for sharing information and place a greater emphasis on the need for:

• Consistent standards – through patient NHS numbers and agreed national coding schemes
• Excellent data quality
  

3) Information governance

This provides a framework for handling patient data in a confidential and secure way. By sharing information between different health organisations the delivery of health services will be consistent and more effective at meeting a patient’s needs.

The key areas of information governance that GPs must be aware of are:

• Consent – when disclosing patient data
• Anonymisation
• Data ownership, control and access
• Research
• Accessing patient data – CfH principles
• Electronic communication
• Role-based access rights and Smartcards
  

4) Migration towards a paperless office

A GPs data capture process should ensure the completeness, accuracy and relevance of information. It is an area that affects all clinicians and is designed to support patient care.

Practices need to consider the following to ensure the transition to a paperless office runs smoothly:

• Training – on processes and procedures for capturing information
• Identifying someone to lead – the preparation for practice participation in IT implementation and development
• Undertaking a baseline assessment – enabling the practice to determine what changes need to be made to improve their data recording processes
• Reviewing and changing procedures – to ensure completeness and consistency of data capture
  

5) Data transfer

When patient records are transferred, it is possible that the clinical meaning can be corrupted or altered as a result of the transfer process. This in turn can affect clinical best practice or patient safety.

Types of data transfer include:

• Transfer of data when migrating to a new software system
• Transfer of data when moving to a new version of the same software system
• Transfer of data by electronic messages between different systems
• Transfer of data by incorporation of information from a remote system
  

6) Electronic documents

• GPs must not destroy or delete electronic patient records for the foreseeable future
• Procedures must be in place for shredding paper documents
• Attached electronic documents/images must be accompanied by a description of the attachment
• Electronic attachments must be easily available to send to other practices when appropriate for consistent patient care
• When scanning information, practices must use processes that ensure workflow safety and reliability
  

7) Education and training

Some areas highlighted on the checklist are:

• How to use the technology – e.g. using the office programmes
• Data, information and meaning – e.g. understanding the importance of consistency and accuracy in data entry
• Integrating electronic and interpersonal communication of information – e.g. how to incorporate knowledge from the computer into the consultation
  

8) Accreditation of paperless practices

If GP practices wish to become paperless they need to seek written permission from their PCT

The practice will need to prove to the PCT that they have appropriate processes in place to support a paperless office and maintain the security of their data to ensure it is never compromised

• Protect patient identifiable data, held on GP systems, from threats posed by insecure networks such as the N3
• Enable centralised remote support and management of GP systems by PCT staff and their service partners
• Provide GPs with fully authenticated, secure remote access to their practice systems
• Create the technical environment for systems that support Practice Based Commissioning in GP surgeries

To read the case study in full, please click here

As the comments in this news article (Pulse, 7 May) show, many GPs have concerns over the system being abused by patients wanting multiple prescriptions or by duplicating patient records.

However, dual registration doesn’t have to be daunting. To make the system work, GP practices, hospitals and other health care institutions need easier communication to share patient records. NHS IT initiatives such as N3 and Spine are designed to prevent abuse of the system and allow easier access to data. To make dual registration a success we need to be reinforcing these systems to ensure a secure and efficient network across the NHS.

Read the story in full here