Building a Culture of Respect for Data Security

Data breaches of sensitive patient information whether highly publicised or not, can be a catalyst for change when viewed as an opportunity to learn how to be respectful of staff and patient data. Andy Fyffe, Regional Vice President EMEA at Imprivata FairWarning discusses how the right type of technology can be non-intrusive, protect data and help to improve workplace culture.

Things go wrong from time to time and it’s how we deal with them that matters, data breaches are no exception. Whether innocent or deliberate, losing or allowing confidential patient information to end up in the wrong hands is a risky and sometimes expensive business.

Lost data can be devastating for all concerned

Just earlier this year, an investigation was launched by police in Scotland after the medical records of more than 150 NHS staff members were inappropriately accessed by one of their own colleagues. Records which may have been accessed include the dates of appointments staff members attended as patients, waiting lists they were on, details of their medical conditions, and the date and location of any inpatient admissions and discharges.

The heavy financial penalties imposed on any organisation that lacks sufficient internal security processes and systems can be punitive. Who can forget the eye-watering €460,000 fine imposed on a hospital in Holland a few years ago? The breach was laid bare after it transpired that around 200 hospital staff had unauthorised access to the medical records of a Dutch celebrity, personal information that was subsequently leaked to the media. Closer to home, when NHS resources are stretched to the limit, data breaches eat heavily – and unnecessarily - into precious budgets.

Time to create a culture of privacy and trust

When the worst happens, forward-looking healthcare leaders embrace their mistakes and use them as a positive opportunity to re-think their information security processes. A key element is educating staff on their role when it comes to Information Governance and the confidentiality of electronic patient information. Effective leadership aims to build a culture of trust where staff learn how to be respectful of patient data and find empowering ways to secure it. This proactive approach protects the innocent, in particular staff who might otherwise be falsely accused of accessing patient data for all the right reasons.

Recently, Imprivata was privileged to work closely with Liverpool Women’s NHS Trust. The hospital delivers around 8,500 babies and performs 10,000 gynaecological procedures every year and it is also a pioneering centre for fertility help and gynaecology oncology. As a leader in its field, patient confidentiality and privacy are top priorities. Liverpool Women’s NHS are a world-class case study in how to create a positive culture of data privacy that protects staff as well as patients.

The Trust is an established long-time user of Imprivata FairWarning solution, our threat detection platform that provides alerts and reports on activity when records are accessed out of routine or required clinical practice. These reports may identify when a member of staff might be accessing their own record, or that of a colleague, family member or associate. Guidelines are also provided for line managers, CIOs and HR professionals to assess and validate access when a potential data breach is flagged in an objective and constructive way.

Since implementing the FairWarning system, Liverpool Women’s hospital has introduced a ‘zero tolerance policy’ to data privacy breaches but it has equally seen a positive change in how data privacy and governance are considered and respected throughout the organisation. This is now evident in the hospital’s culture of trust and adoption of ethical working practices across clinical and administration teams. The credibility of the FairWarning system and reports have also helped with external requests and investigations on confidentiality breaches. Furthermore, clear audits and records of irregular data access help to protect staff from being wrongfully accused of malpractice.

3 key points for protecting sensitive patient records

Many data breaches would never come to light were it not for the benefits of modern IT security systems like FairWarning. These tools can enable healthcare organisations to focus on maximising the capabilities of the latest digital identity technology to promote a positive data security culture that keeps critical patient data secure and staff safe. Here are three key points to consider:

1. Robust Digital Identity Framework – recent innovations are designed to address healthcare’s unique security, compliance and workflow challenges. Using one integrated solution, NHS organisations can manage every single identity across their complex eco-system. The best solutions underpin a sound digital identity strategy offering capabilities to support the most important categories of the planning process such as governance and administration, identity management, authorisation, authentication and access. Moreover, these categories align closely to key regulatory standards such as the NHS Data Security Protection Toolkit (DSPT) and EU General Data Protection Regulation (GDPR).
2. Streamline manual processes – automation replaces the cumbersome, slow and sometimes error-prone manual administration of conducting investigations into potential inappropriate data activity. An automated process-driven approach enables greater and more granular controls for adherence to security policies and regulatory guidelines while empowering clinicians to focus on delivering high-quality care.
   During the recent pandemic, many NHS organisations took advantage of Imprivata’s COVID-19 dashboard. At a glance, healthcare practitioners have all the insight they need to track their progress against specific privacy, security, and compliance measures, summarise the risks and safeguard patient data.
3. Map to the NHS Data Security and Protection Toolkit – DSPT is an online self-assessment tool that allows healthcare organisations to measure and publish their performance against ten data security standards. Leaders are obligated to ensure their people understand how to handle information with respect and care; that processes are in place to proactively respond to incidents and prevent data security breaches; and that technology is secure and current. The ability to map against the NHS DSPT inspires all-round confidence, demonstrating an organisation’s commitment to achieving effective data security protocols while fostering best-practice and learning that are built on respect and trust.

For more information about how Liverpool Women’s NHS Trust transformed its data security culture to one of respect and trust, download the case study here.