Under GDPR, your healthcare organisation only needs to store and process data if it:1. Helps the patient
2. Benefits the public
3. Aids the organisation’s legitimate interests
4. Complies with a legal obligation
But, once you collect this data, you’re then legally required to:- Keep it confidential and restrict access
- Allow data owners access to manage their information such as amending or erasing it
- Ensure no one alters the data
This is especially important when you consider data security threats. Malicious attacks, such as ransomware, can cause major disruption to NHS services. Take the Wannacry attack in 2017 as an example. This incident affected more than 80 per cent of hospital trusts and resulted in the cancellation of 19,000 appointments.
But the threats aren’t always malicious. A company that printed and dispatched more than ten million NHS letters to patients mistakenly sent one of their employees a memory stick with an entire server’s worth of patient information. While it was a genuine error, it was still a breach under the GDPR—and a criminal offence.
To stay compliant, you need to take steps to protect your data from threat actors and employee errors. Here’s how.
3 tips to protect your healthcare data
You need data insights to provide efficient care. But you also need to keep patient information safe. Our tips will tell you how to easily achieve both.
1. Encrypt data
Encryption scrambles your data so it’s indecipherable. So, even if an unauthorised person does get access to your information, they won’t be able to read it.
You can encrypt stored data, as well as data between patient applications and servers. This adds an extra layer of security to applications, such as the NHS Login and the NHS app, ensuring patients can only access their own personal records.
Beyond this, encrypt before transit, authenticate on arrival and decrypt. This will prevent data leakage when communicating with staff and third parties by email or over messaging platforms.
2. De-identify data
Sometimes there’s no basis for accessing and processing personally identifiable information (PID). Doing so won’t help the patient, further the work of your organisation, or benefit the public.
In these cases, it’s necessary to de-identify the data, so you won’t know the identity of a patient without additional information.
Measures for this can include data cleansing, such as removing information from patient forms before passing them on to another department. It can also include pseudonymising the data. For example, instead of using a patient’s date of birth to access records, you might instead use a tokenised ID.
3. Tighten security
Updating devices with new security patches will tighten security and fix vulnerabilities.
But tightening security also means strengthening your access management. You should turn off services for personnel who no longer need them, and ensure only authorised staff get access to certain data.
Add two-step verification (2FA) to all your data assets. This adds an extra layer of security after staff enter passwords by sending secure codes via text or an authenticator app.
The future of data protection in healthcare
We’ve given you three tips on how to improve your data protection and stay compliant. But, while these are immediate actions you can take for instant results, what about down the line?
Future-proofing your healthcare data will make data protection and compliance easier to achieve. It’ll also increase your patients’ trust. We’re going to explore two approaches, with real-world examples from Mastek.
1. Modernise your access management
Many healthcare organisations still give their clinicians physical smart cards for data access. These provide strong security but there are some drawbacks such as; anything handheld, can be easily lost (with the data access they provide). Plus, there’s the added risk of these cards falling into the wrong hands.
Microsoft Authenticator (with AAL2) is a secure and easy way for staff to prove who they are. It applies 2FA to all your data assets, so clinicians can access crucial information without putting it at risk
To bolster your efforts, deploy Identity and Access Management (IAM). This is a framework of policies and technologies that allows only authorised people access to certain assets based on their roles and responsibilities.
But what happens when your staff members change roles? Well, most organisations will have to remember to switch off or upgrade permissions manually. Otherwise, staff will continue to have access to data they shouldn’t, or won’t have access to the data they now need.
Within the NHS, Mastek implemented a new identity management system that tracks role changes. It connects to Java Modelling Language (JML) and applies logic-based rules to data access. The system assesses role changes and automatically updates permissions.
2. Give ownership of data to the patient
Almost 28 million people in England use the NHS login, and more than 16 million have the NHS App. As such, more and more people can view their medical records and services easily. This means they can access and share their own data, with the potential to control what personal information your organisation can use.
Patients should have this right. And they should have this choice every time they submit new information. This will increase transparency and trust. And, it will reduce instances of accidental data dissemination and breaches too.
At Mastek, we understand the importance of data ownership and control. We’ve already developed and support a personal data application for the NHS that gives more data ownership to the patient. But that’s just one app. As we continue to use more digital healthcare solutions, it’s the perfect opportunity to give patients control over their information. And remove some of your data compliance burdens.
To find out more about healthcare data protection and compliance, contact us.