National Data Security Standards for Health and Social Care: Speaker News & Updates
Chaired by Christopher Fincken, Chairman of the UK Caldicott Guardian Council this conference focuses on implementing the 10 National Standards for Data Security which were proposed by the National Data Guardian, Dame Fiona Caldicott in July 2016. Through national updates, extended in-depth sessions and practical case studies the conference will provide a guide to ensuring compliance with the new standards in practice.
Speaker News and Presentations:
The day opened with a pre-conference breakfast meeting sponsored by RelianceACSN on Digital Information Security, Trust and Resilience - Implementing Data Security Standards for Health and Social Care. Full Presentation Click Here
The National Data Security review
Learning from data security breaches
Stacey Egerton Lead Policy Officer, Public Services Team, Strategic Liaison The Information Commissioners Office
- learning from case studies of breaches by NHS and Social Care organisations
- reporting, managing and investigating information governance serious untoward incidents
- the impact of technology on data security breaches
- understanding how we can reduce breaches involving human behaviour
- the role of the Information Commissioner and an update on the data sharing code of practice
Stacey Egerton’s Full Presentation Click Here
Stacey Egerton’s Biography:
Stacey joined the Information Commissioners Office in 2012 as a case officer dealing with concerns raised by the public across the local government sector. She is currently a Lead Policy Officer within the ICO’s Strategic Liaison department working with a range of organisations in the health, education and local authority sectors. She has responsibility for helping manage the strategic relationships with the stakeholders in these sectors in order to uphold information rights and promote data privacy for individuals. Over the last 12 months Stacey has done a significant amount of work in relation to data sharing and integrated care initiatives.
Professor Martin Severs Caldicott Guardian and Lead Clinician NHS Digital National Data Guardian Panel Member
- the recommendations from the data security, consent and opt-outs review
- the ten National Data Security Standards
- how will compliance against the standards be measured?
- priorities for implementation and moving forward
Professor Martin Severs Full Presentation Click Here
In his presentation Professor Martin Severs Stated:
“The review underlines the central importance of trust.”
“The ability of the patient or service user to talk candidly to their health or care professional to trust that information they share will be treated with respect is as vital now as it always has been. So as we develop new technologies and find new ways of using information to gain insight into how to improve care, the relationship of trust between an individual and the clinicians or professionals caring for them remains critically and centrally important to the effective functioning of the system, just as it has done for many years.”
“Individual citizens also need to be able to trust the system as a whole to keep their data secure. We heard that they largely do trust the NHS, although levels of trust in the social care system were lower.”
“I make no apology for trust being the key theme in my work as National Data Guardian.”
“There is little Knowledge among the general public about how data is used”
“Benefits may be clear to experts – but not to the public yet”
“Our evidence shows that most people want to support their data being used to improve care…but transparency, security, and red lines matter…and people expect a choice”
Ten new standards, grouped under three leadership obligations – people, processes, technology:
Leadership Obligation 1: People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
“We need to educate people not just train people”
Leadership Obligation 2: Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
“We have got to think about processes – in a world of technology we need to learn and react quick”
Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date.
“We are going to have the opt out option – the question is, are we going to have 1 or 2 questions. And it will be respected by all organisations that use health and social care information”
“The government have accepted in principle by the UK Government – it is considering the consultant responses. Nothing has changed yet and implementation will not be overnight”
Professor Martin Severs Biography:
Martin Severs is a practising Consultant Geriatrician and Associate Dean in Clinical Practice at the University of Portsmouth. He has over 20 years of professional leadership roles in health informatics, notably for the Royal College of Physicians and the Academy of Medical Royal Colleges, as chairman of their information advisory structure, which he founded and ran for eight years.
Since 1999, Martin has also been the Chairman of the Information Standards Board for Health and Care in England, which is the body that approves [or not] information standards for the health care system.
He also designed, set up and was the Management Board Chairman of the International Health Terminology Standards Development Organisation which has expanded from seven to 19 country members In March 2012 he took up the clinical lead position with the independent Information Governance Review being led by Dame Fiona Caldicott. Martin has also held Non-Executive roles with two national charities.
Dan Taylor Programme Director CareCERT
Implementing Recommendation 4: All health and social care organisations should provide evidence that they are taking action to improve cyber security
Dan Taylor’s Full Presentation Click Here
In his presentation Dan Taylor states:
“Don’t make the mistake of leaving the data security of the many to the few, the IT people, the secure areas and IG Leads. It starts with leadership and personal responsibility. We all have a responsibility for our data. Own the issue at senior leadership level. Empower through training and learning personal responsibility in data security.”
“The threat is real and in the public domain”
“Early interventions can makes a big difference. One of the things we do at CareCERT we saw threats ahead of them taking place”
Known Data Security Challenges
- Unsupported OS Browsers
- Inappropriate Staff Training
- Poor leavers, movers and changes process for staff
- Too many privileged system accesses
- Significantly reduced investment funding
- Limited situational awareness of cyber preparedness locally
- Social Engineering - Sophisticated Spear Phishing
“CareCERT React – is advice and guidance for if and when the worst happens. We won’t tell you, you have to do this now. we will however provide advice and guidance.”
“CareCERT also provide N3/HSCN Networking monitoring – by stopping network threats as they happen.”
“It’s about being proactive – using the tools and guidance to be proactive in stopping threats.”
The aim is to reduce burden on organisations while increasing value of the toolkit to enable organisations to deliver safer solutions and meet the NDG data security standards. This means reducing duplication and simplifying the process of maintaining the toolkit. A refreshed toolkit needs to drive regular improvement. On the leadership agenda, driving KPIs to show progress. The services offered at the centre should support the ten data standards which will be embedded in the toolkit.
CareCERT delivery timescales – we will be delivering on these in the next 12 Months – see slide 25
Some final advice:
“Invest in people; personal responsibility in data security is key”
“Be part of free initiatives such as CareCERT and CareCERT Assure now (email us to know more) use and benefit from the advice and guidance of CareCERT React and CareCERT Knowledge later this year.”
“Don’t fall into the trap that Cyber Security doesn’t affect patient care or patient wellbeing, it does, and it is…as we have seen.”
“Don’t entrust the security of the many with the few. We’re all on the hook to enhance what we do”
Dan Taylor’s Biography:
Dan Taylor leads NHS Digital’s Data Security Centre (DSC) which is at the forefront of information and data security. Part of the DSCs role is to deliver secure by design applications and building awareness and understand of personal and cultural responsibilities to securing data.
The DSCs Cyber Security Programme is delivering a number of projects to build cyber-security defence across the country; Dan and his team have brought into operation the CareCERT Intelligence service helping heath and care respond to potential threats as cyber security becomes ever more important in our current age of technology. Training programmes and guidance continue to be delivered with new services such as CareCERT React and Assure being offered to early adopters in September 2016.
Dan has worked with NHS Digital and its forerunner operations since 2010 working at a national level delivering change through a number of nationwide programmes, having previously worked across the NHS in management and leadership roles since 2004.
Future events of interest:
Caldicott Guardian Training Courses
Towards the Digital Hospital
Monday 20 February 2017
De Vere W1 Conference Centre, London
Caldicott Guardians: National Annual Conference
Monday 15 May 2017
De Vere West One Conference Centre, London
2 December 2016