UK Government endorses new data security standards and greater patient control over use of health data

The Department of Health published its Review of Data Security, Consent and Opt-Outs (the “Review”) earlier this year. Incidents such as WannaCry (refer to article above for more detail) have created awareness of the ease and speed with which cyber-attacks can cause widespread disruption and highlight the importance of ensuring that organisations implement strong security standards, particularly in the health care sector.

A further example of the potential impact in this sector was demonstrated by the security researcher Scott Gayou’s recent finding that the MedFusion 4000 pump made by Smiths Medical has eight separate flaws. In particular, the device was vulnerable to well-known attacks and the technology and system controls did not adequately check who was connecting to the device or sanitise any commands it received. These flaws have the potential to be exploited to change the dosages of critical fluids being delivered to patients. Cyber vulnerabilities such as these must be identified to prevent another WannaCry cyber-attack, or more serious attacks which threaten personal injury or loss of life, and the Review aims to undertake such an analysis of data and systems security and data sharing in the health and social care system.

The Review follows on from previous reviews commissioned by the Department of Health. One review on data security and data sharing in the health and social care system led by the National Data Guardian for Health and Care (“NDG”) (see our previous article for further detail) and the other on current approaches to data security across the NHS led by the Care Quality Commission (“CQC”). These reviews focused on strengthening data security across the health and social care system and proposed a new model for data sharing. Following their publication in mid-2016 the Government undertook an extensive consultation and released its response in Summer 2017 in which it agreed with each of the NDG’s and CQC’s recommendations. The Government committed to:

• Protect information through system security standards. It has done this by endorsing the 10 new data security standards recommended in NDG’s report. These data security standards encourage secure handling of personal data, the operation of secure and up-to-data technology, controls and audit trails on access to “personal confidence data”, prompt response to data breaches or “near misses” and that IT suppliers are held accountable for protecting personal data they are tasked with processing, among other things. The Government also agreed to adopt the CQC’s recommendations on data security and to update the Information Governance Toolkit accordingly.
• Enable informed individual choice on opt-outs through implementing a new consent and opt-out model for data sharing in NHS England. However the opt-out does not extend to the use of patient’s information in anonymised form. The Department of Health has confirmed that new guidelines are in the process of being developed and will be implemented from March 2018 and become fully effective in 2020.
• Apply meaningful sanctions against criminal and reckless behaviour. It sees the application of the GDPR and the Data Protection Bill in May 2018 as providing appropriate sanctions for data breaches and reckless or deliberate misuse of information.
• Protect the public interest by ensuring legal best practice and oversight. It will do this by putting the National Data Guardian role and its functions on a statutory footing, through the Information Governance Alliance (“IGA”) publishing anonymisation guidance and by working to clarify the legal framework.

The Network and Information Security Directive will also apply from May 2018 and will reinforce the ten data security standards outlined above.

Click here for the Government’s full response “Your Data: Better Security, Better Choice, Better Care”.