Scotland beats England on protection of NHS patient data

English trusts advised to take the lead from Scotland to reduce data protection breaches

Just weeks after industry experts accused NHS trusts in England of lagging behind their Scottish counterparts on the procurement of healthcare IT solutions, trusts north of the border have once again come out on top on the issue of protecting patient data.

Following the announcement by the Department of Health in England of Dame Fiona Caldicott’s independent review into the use of patient information, insiders say the country’s health trusts should again take the lead from Scottish boards.

In the same way that Scotland has taken a centralised approach to IT procurement, unlike the more piecemeal, localised system used in England, the country has also laid out a strict protocol for the protection and use of patient data across all trusts.

The widespread use of electronic healthcare systems and the free flow of information are essential for the sustainable delivery of better outcomes for patients

Health Facilities Scotland (HFS) recently launched a campaign under the slogan ‘Security – it’s everyone’s business’. This will provide operational guidance to all NHS bodies with a focus on three key areas: protecting people, protecting property and assets, and information security. Included in this will be guidance on inappropriate access to IT systems and the modification and manipulation of data, particularly in patient record systems.

HFS director, Paul Kingsmore, said: “We are keen to support NHS boards across Scotland to protect their people, property and information. Over the coming months, we will be providing advice on best practice to boards through this awareness campaign.”

He said national guidelines and a staff training programme would be introduced to help boards implement a consistent approach to security procedures. Posters and leaflets will also be distributed. In addition, the Western General Hospital in Edinburgh has already piloted new, tighter security measures and the Scottish NHS has agreed to a countrywide rollout of the FairWarning privacy surveillance system.

As every hospital chief information officer and head of IT in England knows, many trusts have no effective safeguards in place to stop staff misusing their legitimate access rights to look at patient records

The solution, delivered by Northgate Managed Services, will ensure only authorised access to identifiable patient information.

Company director, James Turnball, said: “It has never been so important for organisations in possession of critical information to protect it. NHS Scotland has moved quickly to update its security protocols and to ensure the proper handling of sensitive and confidential patient information by its staff.”

The system will be deployed at all 14 of the country’s health boards and will help to identify users who are engaged in patient record access and patterns that are indicative of snooping, password sharing and other suspicious behaviours.

But, unlike the approach in Scotland, England is likely to procure any solutions on a much more localised basis, leading to concerns that information held by some trusts will be more secure than at others.

We hope Dame Fiona and her panel will look to NHS Scotland as an example of good practice

Kurt Long, founder and chief executive of FairWarning, said: “The widespread use of electronic healthcare systems and the free flow of information are essential for the sustainable delivery of better outcomes for patients. This can only be successful if clinicians and patients have confidence that sensitive data is secure. Unfortunately, as every hospital chief information officer and head of IT in England knows, this is far from being the case as many have no effective safeguards in place to stop staff misusing their legitimate access rights to look at patient records.

“This is something that is being addressed very effectively by NHS Scotland and we hope Dame Fiona and her panel will look to NHS Scotland as an example of good practice.

“Unless security is treated as the fundamental underpinning of electronic healthcare systems, there is a clear danger that continuing data breaches will damage public confidence, causing patients and NHS professionals to back away from electronic care.”

With many tens of thousands of people sharing many millions of pieces of highly-personal information daily, NHS IT systems must be secure and they have to be policed

The company advises a three-point plan of action addressing three basic safeguards: securing electronic communications with patients and carers, securing data in and across systems, and assuring only appropriate access to data.

Long said: “The world of electronic healthcare has come a long way, but there is still so much more it can deliver. But, with many tens of thousands of people sharing many millions of pieces of highly-personal information daily, NHS IT systems must be secure and they have to be policed.”

Click here to read the recent BBH report on the procurement of IT systems in England and Scotland

Companies