Feeds

Scottish NHS data safeguarded by bizarre questionnaire

Sturgeon ends fishy practices

Next gen security for virtualised datacentres

Scottish Health Secretary Nicola Sturgeon has welcomed new rules to tighten up security around patient records in Scotland. This follows the discovery of confidential details about patients and their treatment in two separate – and derelict - hospital premises.

In July, records turned up at the Law hospital in Carluke, Lanarkshire. In May children's medical records were found in the Strathmartine hospital in Dundee. Each was abandoned at the times of the discoveries. A reporter for Scottish station STV revealed that the data included the names of child psychiatric patients, and their medication and progress.

The recommendations form part of a package put forward by NHS Quality Improvement Scotland (QIS) and include a number of "data security protocols" designed to avoid a repetition of such embarrassing incidents.

According to the recommendations, in future NHS Scotland will not use disused buildings to store any health records or personal identifiable information. It will keep all patient information within its formal health records, destroy redundant information and train staff in data protection and management. It will also provide guidance on managing patient information held by clinical staff who leave their posts.

Sturgeon said: "Although this was an isolated incident, breaches of data security should not be happening at all".

A spokesperson for NHS Scotland added helpfully that the records had not actually been stored: "The buildings in which they were located had been abandoned and records left behind." Whether this makes the incident more or less worrying, we leave to our readers to decide for themselves.

Nor are these new protocols exactly "new". According to the same spokesperson: "They are best practices which hospitals ought to have been adhering to already. In principle, nothing much has changed. This is simply a codification of what was going on before."

This is reassuring news, as is a response from NHS England that Guidance for the NHS in England "already includes those areas identified by Quality Improvement Scotland and can be found in the NHS Information Governance Toolkit".

But this might not be strictly true. The IG Toolkit contains links to hundreds of documents on best practice and good governance. Many of these are expressed in the form of process checklists, rather than direct instructions as to what to do in a given situation.

Thus the summary of IGT requirements 2008-9 contains over 90 helpful audit questions, including: "Does the Organisation have adequate arrangements in place to ensure safe and secure handling of information (eg policies and procedures and access to expert advice on Confidentiality, Data Protection and Information Security)?"

No doubt, if an Organisation does have adequate arrangements in place, data loss Scotland-style would never happen, but it is not at all clear that the Toolkit sets out what such arrangements would look like.

Organisations are also confronted with more obscure questions such as: "Does the Organisation have adequate governance in place to support the current and evolving Information Governance agenda?"

The lesson from Scotland seems to be that NHS bodies need to cut through the high managerial waffle. Instead of checklists asking whether "the organisation has policies in place in respect of pushing buttons of different colours", there are times when a much simpler policy of "do not press the red button" is more apt.

On the evidence to hand, it is not at all clear that NHS England understands this. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Super Cali signs a kill-switch, campaigners say it's atrocious
Remote-death button bad news for crooks, protesters – and great news for hackers?
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.