Mind the security gap while adopting electronic health records
Marc Lee, Director EMEA, Courion
10 April 2013
The target set by UK Health Secretary Jeremy Hunt, for digital information to be available across NHS and social care services by 2018, stirred a debate about whether the NHS is prepared to seamlessly transition to new digital records system without exposing patient data to security risks.
The move is aimed at enabling healthcare staff to share data more effectively and improve the efficiency of services. The paperless patient records agenda offers great opportunities for service improvements for the NHS. However, in the past some parts of the NHS have had real challenges with managing the risk of security breaches, with the Information Commissioner’s Office (ICO) levying heavy fines for breaches resulting from staff error and lack of compliance with data protection policies.
To overcome these security issues and enable more efficient healthcare, the NHS will need to ensure that sensitive patient information is captured, stored and transmitted securely in accordance with the latest compliance requirements.
The introduction of electronic patient records will also call for automatic enforcement of existing data governance practices and compliance mandates. One of the key issues will be how to ensure that only authorised personnel have access to patient information and that there are mechanisms in place to manage accountability in the event of a breach. Compliance mandates also require healthcare organisations to periodically review and certify that their employees’ access privileges are consistent with their role in the organisation.
This is becoming increasingly critical as regulations require primary healthcare providers (ie GP practices and hospitals) to ensure that business partners (suppliers, insurance companies, etc) also implement security processes and procedures designed to protect sensitive patient data against disclosure. However, the issue is that existing approaches to data governance and access certification focus on providing access privileges to authorised personal and reviewing these access rights on every three, six or twelve months.
This gap between user provisioning and access certification exposes healthcare organisations to significant security risks as changes that happen within this period remain undetected. This issue will be amplified by the introduction of electronic patient records as the immediacy of access to sensitive information will require near real-time management of access risk. Failing to achieve such robust access management practices may have negative consequences for NHS data protection requirements.
Therefore any major innovations in digitising of patient records must be accompanied by stringent analysis of potential access risk. This will help prioritise and plan for existing and potential security risks, while enforcing internal data protection policies and automatically provisioning or revoking access to patient records depending on those rules. What’s even more important is that a strong access risk management strategy will enable IT staff to easily identify abnormal activities and act upon them before they have turned into a major security issue.
To be able to control access to sensitive patient data, it may be necessary for healthcare organisations have near real-time view into access risk, especially as they significantly widen access to patient records with the patients themselves and a range of providers, many of which will be private healthcare contractors.
This strategy will constantly analyse IAM and other security data from access governance, user provisioning, and password management systems to identify and quantify access risk. Moreover, this approach allows organisations to analyse data from external resources such as SIEM and DLP systems, providing IT staff and compliance officers with a clear view of how sensitive data is being used.
This view will not only improve the enforcement of data governance practices, but will also help ensure that changes in users’ access rights are reflected in the IT system in almost real-time, thus mitigating the threat of a potential security breach.
When an action that affects access occurs, the access management system should be able to automatically drive compliance with policies and regulations, eliminating time, cost and errors of manual processes. This will significantly increase operational efficiency and improve control over access risk, while ensuring that data privacy standards are maintained.
Such successful access risk management practices have already been implemented in other healthcare organisations across the world. For instance, HCR ManorCare, which is one of the biggest home care providers in the US, has implemented access risk management solutions that leverage a real-time access intelligence engine to monitor, quantify and analyse access risk and enforce data protection policies across its workforce of 60,000.
The NHS IT policy promises to transform how patients and clinicians access and share information to enable enhancements in care and healthcare outcomes. These goals will be achieved so long as the NHS strikes the right balance between protecting user privacy and providing access to confidential data, while ensuring control of access risk. This will be essential for ensuring the long-term success of the electronic patient records initiative and will provide an additional layer of security for patients and NHS staff alike.
Marc Lee is Director EMEA for Courion.