Response to Caldicott review includes promise of extra money, commitments for NHS Digital and safeguards in sharing patient data
The Government has agreed to adopt a set of data security standards for health and social care and said it will pump more money into dealing with structural weaknesses in cyber security.
The commitments are among the key features of the Department of Health (DoH) response – titled Your Data: Better Security, Better Choice, Better Care – to Dame Fiona Caldicott’s Review of Data Security, Consent and Opt-Outs, which was published in July of last year.
The review focused on the security of IT systems in health and social care and whether people are sufficiently informed about how their data might be shared. It was prompted by growing concerns about the implications new technology for the privacy of patient data.
Caldicott and the Care Quality Commission wrote to Health Secretary Jeremy Hunt several months before the virus WannaCry struck, warning that an “external cyber threat” to the NHS was growing.
In response to this, the DoH has agreed to adopt the 10 data security standards set out by Caldicott.
These are clustered around three themes: ensuring staff are equipped to handle information respectfully and safely, in line with the Caldicott Principle from 1997; proactively preventing data security breaches and responding appropriately to incidents and near misses; and ensuring technology is secure and up-to-date.
Individual standards include: annual data security training for staff; ensuring confidential data is only accessible to those who need it for their current role; annual reviews of processes; the need for continuity plans to respond to threats to data security; ensuring no unsupported systems are used in the IT estate; using a strategy such as Cyber Essentials to protect IT systems.
Data handling measures
The DoH has also gone along with recommendations from the Care Quality Commission on security in handling patient data. These include establishing clear ownership and responsibility; providing staff with the right tools and support; designing protocols in IT systems around the needs of patient care to remove the need for workarounds; and urgently replacing hardware and software that can no longer be supported.
The spending commitment – the total of which is unspecified – will be in addition to the £50 million identified in the 2016 Spending Review, and will begin with £21 million of capital funding to increase the cyber resilience of major trauma sites.
Money will also be spent on improving NHS Digital’s national monitoring and response capabilities, and the organisation will broadcast alerts about cyber threats to hospitals, provide a hotline for dealing with incidents and carry out on-site assessments to check security.
Other cyber security measures include NHS Digital building on its CareCERT suite of advice and support services; redesigning and updating the Information Governance Toolkit; publication this summer by NHS Improvement of a new ‘statement of requirements’ for local organisations; and working with health and care organisations to assess whether other assurance frameworks meet their needs.
The key measures in the effort to build patient trust include the development, by December 2018, of a digital service for people to understand who has accessed their summary care record. By March 2020 there should be an online service for them to see how NHS Digital has used their personal data for purposes other than direct care.
This will be accompanied by people being given the choice to opt out of sharing their data beyond direct care across the health and social care system.
In addition, NHS Digital will develop a mechanism to de-identify data on collection from GP practices, with a target date of September 2019.
All this will be backed up by a new Data Protection Act and placing the role of the national data guardian on a statutory footing.
Health Minister Lord O’Shaughnessy said: “The NHS has a long history of safeguarding confidential data, but with the growing threat of cyber attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS.
“Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”
Caldicott (pictured) welcomed the response to her review, emphasising the measures around public trust and how they relate to technological changes.
“There is still little public awareness of the way information collected by health and care services is currently shared, and that trust has not yet been earned,” she said. “I believe that the implementation of my recommendations will be an important step in this process.
“I do not underestimate the challenges of this implementation. It will involve a great deal of work, including the building of technical solutions, support and training for staff, and not least culture change. Most importantly it will involve an ongoing conversation with the public about how data is used and what choices people can make.”
She added: “Past failures to use patient data safely and respectfully have been well publicised. But I believe that if the right steps are taken now, the great benefits of using such data can become just as familiar to the public in the future.”
It also prompted a positive response from Rob Shaw, chief executive officer of NHS Digital, who said it is committed to the principles of Caldicott’s review.