Partners and practice managers need to be aware of the potential risks of faced by practices in respect of information security and the penalties for breaches and noncompliance that are being reported.
The 2013 Caldicott Report
The Information Governance Review arose out of concerns that healthcare data is not being securely safeguarded. The report noted there had been 186 serious data loss cases notified to the Department of Health in the year to June 2012.
As well as the cases reported to the Department of Health a large number are reported to the Information Commissioner’s Office (ICO) each year. The ICO has the power to fine organisations up to £500,000. In addition to the ICO, data breaches fall under the jurisdiction of the Care Quality Commission (CQC).
Note that the fines and costs arising from data loss are not covered by general insurance policies so it is important to have a method of managing the risks.
Data losses and fines in the healthcare sector
The ICO fines include cases of lost/theft of unencrypted laptops and memory sticks, lost unencrypted backup tapes and emailing personal data to the wrong recipients. Further examples from the healthcare sector include:
• Sending faxes of patient data to the wrong person – £55,000 fine.
• Patient data found on second hand PC’s sold on Ebay – £200,000 fine. There was a failure to monitor the destruction of the hard drives. Note it was the owner (data controller) of the hard drives who was fined not the destruction company.
• DVD’s containing confidential personal data lost by courier firm – £50,000 fine. The data was not encrypted.
• Letters containing patient data sent to the wrong recipients – £60,000 fine.
• Confidential paper records of patient data left in an unattended site which was not physically secured – £225,000 fine.
Your responsibility when outsourcing data
When you, as a data controller, outsource the processing of personal data, whether it is your patient or staff data, the responsibility for the security of that data remains with the GP Practice and it is the Practice that is fined or reprimanded in the event of a data loss. In short, as the 2nd example above shows, you can’t outsource your information security responsibilities.
Outsourcing risks exist whenever you send patient data to a third party or allow third parties access to your patient data. You might not immediately think of this but the risks even apply to your IT support company. If you outsource your payroll to a payroll bureau it applies to that as well.
What you need to do in your practice
Best practice for dealing with information security in your practice is to implement an Information Security Management System (ISMS).
An ISMS is a documented, systematic and methodical way of identifying and controlling all the risks of data loss. An ISMS provides a full audit trail of actions and includes:
• Risk identification
• Information security policies and controls, based on risks
• Annual staff training linked to the risks and policies
• Annual staff assessments to confirm and evidence understanding
• Regular updates for changes in regulations
Benefits of an ISMS
The benefits of an ISMS:
• Enables you to demonstrate your practice takes care of patient data.
• Significantly reduces your practice’s risk of fines and associated loss of reputation.
• Provides the practice and its staff with documented evidence of risks identified, policies and controls put in place and evidence that staff have been trained and have understood the training.
• Contains the functions, which if missing result in ICO fines for organisations where data loss occurs.
How we can help your practice
Hawsons can supply and help you implement an affordable ISMS and also provide an Annual Security Status Report and certificate in accordance with ISO 27014 so you can demonstrate you are a “safe pair of hands”.