Feeds

Scottish NHS data safeguarded by bizarre questionnaire

Sturgeon ends fishy practices

Secure remote control for conventional and virtual desktops

Scottish Health Secretary Nicola Sturgeon has welcomed new rules to tighten up security around patient records in Scotland. This follows the discovery of confidential details about patients and their treatment in two separate – and derelict - hospital premises.

In July, records turned up at the Law hospital in Carluke, Lanarkshire. In May children's medical records were found in the Strathmartine hospital in Dundee. Each was abandoned at the times of the discoveries. A reporter for Scottish station STV revealed that the data included the names of child psychiatric patients, and their medication and progress.

The recommendations form part of a package put forward by NHS Quality Improvement Scotland (QIS) and include a number of "data security protocols" designed to avoid a repetition of such embarrassing incidents.

According to the recommendations, in future NHS Scotland will not use disused buildings to store any health records or personal identifiable information. It will keep all patient information within its formal health records, destroy redundant information and train staff in data protection and management. It will also provide guidance on managing patient information held by clinical staff who leave their posts.

Sturgeon said: "Although this was an isolated incident, breaches of data security should not be happening at all".

A spokesperson for NHS Scotland added helpfully that the records had not actually been stored: "The buildings in which they were located had been abandoned and records left behind." Whether this makes the incident more or less worrying, we leave to our readers to decide for themselves.

Nor are these new protocols exactly "new". According to the same spokesperson: "They are best practices which hospitals ought to have been adhering to already. In principle, nothing much has changed. This is simply a codification of what was going on before."

This is reassuring news, as is a response from NHS England that Guidance for the NHS in England "already includes those areas identified by Quality Improvement Scotland and can be found in the NHS Information Governance Toolkit".

But this might not be strictly true. The IG Toolkit contains links to hundreds of documents on best practice and good governance. Many of these are expressed in the form of process checklists, rather than direct instructions as to what to do in a given situation.

Thus the summary of IGT requirements 2008-9 contains over 90 helpful audit questions, including: "Does the Organisation have adequate arrangements in place to ensure safe and secure handling of information (eg policies and procedures and access to expert advice on Confidentiality, Data Protection and Information Security)?"

No doubt, if an Organisation does have adequate arrangements in place, data loss Scotland-style would never happen, but it is not at all clear that the Toolkit sets out what such arrangements would look like.

Organisations are also confronted with more obscure questions such as: "Does the Organisation have adequate governance in place to support the current and evolving Information Governance agenda?"

The lesson from Scotland seems to be that NHS bodies need to cut through the high managerial waffle. Instead of checklists asking whether "the organisation has policies in place in respect of pushing buttons of different colours", there are times when a much simpler policy of "do not press the red button" is more apt.

On the evidence to hand, it is not at all clear that NHS England understands this. ®

Intelligent flash storage arrays

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.